[bug] Generic generator: provenance filename includes subject's subdirectory #1225
Comments
pnacht
added
status:triage
|
@ianlewis @laurentsimon do you think we should clarify document here and punt to the next release or try to get in for this one? |
|
I think we can fix it for the next release unless we think it has security implications. |
|
Pushing a PR |
ianlewis
added
area:go
|
Thanks. This also seems to affect the Go builder: #1226 (comment) We'll need to do a separate PR for that. |
Currently there is only one provenance file written for multiple subjects so the default is to call it |
|
#1226 fixes the generic workflow, but fixing Go workflow is still outstanding. |
ianlewis
added
status:help wanted
|
Actually, I'll close this as fixed in #1226 and create a new issue for the Go workflow. |
Describe the bug
If a subject is created within a subdirectory (i.e.
./target/foo.jar) and hashes computed and stored from the root, the provenance generator attempts to create the provenance as./target/foo.jar.intoto.jsonl, which fails since./targetno longer exists in the provenance job.To Reproduce
See workflow: https://github.com/pnacht/jackson-core/blob/d6d0af665a0c9d842b07e4468a75d2b59828df99/.github/workflows/main.yml
And failed job: https://github.com/pnacht/jackson-core/actions/runs/3431333783/jobs/5720700225
It successfully builds
./target/jackson-core-2.14.0-SNAPSHOT.jarbut then the provenance job throws:Expected behavior
The provenance should be generated successfully.
Additional context
@asraa suggested I generate the hashes within
./targetinstead of the root. I will try this later.The text was updated successfully, but these errors were encountered: