New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added ite6 processor with unit tests #39
Conversation
pkg/handler/processor/ite6/ite6.go
Outdated
case string(slsaPredicateType): | ||
doc = &processor.Document{ | ||
Blob: predicatePayload, | ||
Type: processor.DocumentSLSA, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, i think this is a point of discussion, is DocumentSLSA
the entire intoto JSON or the contents of the predicate? This does make sense, but also SLSA provenance definition is based on the entire document as well (https://slsa.dev/provenance/v0.2).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. Should it be the whole provenance or just the predicate was the question.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have some thoughts around this. Hard to type out. In the graph it might make sense because we establish the relationship through edges anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also FWIW, folks have recognized that the SLSA stuff is a bit backwards. We should be separating provenance from the in-toto wrapper, otherwise we end up with situations where we make it difficult to have composite types.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think the tricky part here though is that some of the information is missing as as a standalone predicate payload - i.e. the subject will not be available. Which makes me want to tend towards having SLSA be the entire ITE6, for ease of implementation initially.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't that why the doc tree was created. This would be similar to the DSSE processor where we just store the payload. Losing the signature information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the main motivation was more for trust validation to simplify the processor.
This makes the ingestor less modular since a SLSA document ingestor now needs to somehow feed information from the parent node - which may or may not exist. Then some kind of map would need to be passed down but figuring out if a field was from the parent or previous ancestors would need to be considered as well.
I guess the question would be if a document (minus trust validation) should be self contained. Like SBOMs describe the subject within itself through an identifier. Slsa should also duplicate that information within its predicate payload?
I think the main motivation was more for trust validation to simplify the
processor.
This makes the ingestor less modular since a SLSA document ingestor now
needs to somehow feed information from the parent node - which may or may
not exist. Then some kind of map would need to be passed down but figuring
out if a field was from the parent or previous ancestors would need to be
considered as well.
I guess the question would be if a document (minus trust validation) should
be self contained. Like SBOMs describe the subject within itself through an
identifier. Slsa should also duplicate that information within its
predicate payload?
…On Sat, Aug 27, 2022, 7:48 AM Parth Patel ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In pkg/handler/processor/ite6/ite6.go
<#39 (comment)>:
> + }
+
+ statement, err := parseStatement(i.Blob)
+ if err != nil {
+ return nil, err
+ }
+ var doc *processor.Document
+ predicatePayload, err := getPredicate(statement)
+ if err != nil {
+ return nil, err
+ }
+ switch pt := statement.PredicateType; pt {
+ case string(slsaPredicateType):
+ doc = &processor.Document{
+ Blob: predicatePayload,
+ Type: processor.DocumentSLSA,
Isn't that why the doc tree was created. This would be similar to the DSSE
processor where we just store the payload. Losing the signature information.
—
Reply to this email directly, view it on GitHub
<#39 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXLDBWXG7HF6EC7W2AMFQTV3H6APANCNFSM57WWDLQQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Yeah. Might be worthwhile to get @SantiagoTorres thoughts on it? When unpacking documents we're always going to lose something.
There are a few different approaches here though.
I think I still prefer 2, because of the proposed changes to sigstore with bundles that would allow multiple things. |
Documenting what was discussed during our conversation: We agreed that in the long term, the ingestor would need to have a way to communicate information up/down the tree in order to make edges and annotations between the elements of each node in the document tree. However, in the meantime, it would be simpler to assume that the information is all encapsulated within the same document. Thus, for now, we will have
and ingestor plugins for each that will be handled independently. |
6cde0cd
to
feeb4d8
Compare
Signed-off-by: pxp928 <parth.psu@gmail.com>
Signed-off-by: pxp928 <parth.psu@gmail.com>
Signed-off-by: pxp928 <parth.psu@gmail.com>
02807f1
to
e09d777
Compare
Updated based on the conversation. #53 to update for the future implementation. |
|
||
// Unpack takes in the document and tries to unpack the provenance. | ||
// if the predicate is of SLSA type the predicate is stored in the blob | ||
func (e *ITE6Processor) Unpack(i *processor.Document) ([]*processor.Document, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this just returns nil, nil
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unpack of len 0 output means that it is a leaf node. The guesser would be able to determine if its SLSA or ITE6 so this should not be the case where a processor needs to relabel a document.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The guesser would be able to determine if its SLSA or ITE6 so this should not be the case where a processor needs to relabel a document.
In that case is the ITE6 Processor needed at all? Seems like its not doing anything that the guesser isnt already doing.
Signed-off-by: pxp928 <parth.psu@gmail.com>
158ab8f
to
59eaa17
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Signed-off-by: pxp928 parth.psu@gmail.com
Added ITE6 processor that will run and determine if the predicate type is SLSA and unpack the predicate. This will need to be replaced with runtime checks of the predicate such that we dont have to keep updating GAUC as new predicate becomes available.
Fixes: #36