Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure Provenance Material URIs for OCI sources are configured to use pkg:oci PURLs #3918

Merged
merged 5 commits into from
May 31, 2023
Merged

Ensure Provenance Material URIs for OCI sources are configured to use pkg:oci PURLs #3918

merged 5 commits into from
May 31, 2023

Conversation

jedevc
Copy link
Member

@jedevc jedevc commented May 30, 2023

Previously, OCI layout sources were being incorrectly recorded in the materials.

There were two main issues:

  • The URI was the docker reference, not a PURL. The line to do a PURL translation was being used as a no-op.
  • The image was being duplicated in the materials list. This was because we were not distinguishing between remote and local images in calls to ResolveImageConfig (which can take a ResolverType parameter to read from local oci stores).

Now locally loaded images are more reasonably recorded in the materials. See the added test.

@jedevc jedevc requested a review from tonistiigi May 30, 2023 11:54
tonistiigi
tonistiigi reviewed May 31, 2023
View reviewed changes
client/client_test.go Outdated
@@ -7564,7 +7565,7 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {

purls := map[string]string{}
for _, k := range targets {
p, _ := purl.RefToPURL(k, &ps[i])
p, _ := purl.RefToPURL(packageurl.TypeDocker, k, &ps[i])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would be better if this used string constants instead. Otherwise we are running the same function both in implementation and in test.

So did these values actually change as well?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The values haven't changed, no, we just move the packageurl.TypeDocker from inside the function to outside the function.

I've changed these to string constants (still need a bit of printf magic) - I've put this commit at the start of the patch stack, and verified that the values stay constant with each patch.

@jedevc
tests: don't use purl code to test itself
371b3ae 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
purl: allow RefToPURL to take a type parameter
80ea813 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
solver: merge local and remote images into single list
ff5baa0 
This also allows us to specify that local images should be generated
with exactly the same specification as remote images, but with the
pkg:oci scheme instead of pkg:docker.

Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
solver: mark locally loaded images as such
667bb72 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
tests: add test to check url format for image loaded from oci layout
9bc425a 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@tonistiigi tonistiigi merged commit bd366f8 into moby:master May 31, 2023
52 of 53 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
area/attestations
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jedevc @tonistiigi