[generic] fix attestation file creation when subject names are in subdirectories

[asraa]

Signed-off-by: Asra Ali asraa@google.com

Updates #1225

The generic SLSA 3 generator attests to subjects given as input and their digest. However, if the subject is in a sub-directory, then it will fail creating the attestation because the sub-directory doesn't exist.

This retrieves the Base for the subject name, instead of the full path name.
@ianlewis I could also have created the sub-directory, but that made a lot less sense to me.

[ianlewis]

Does the Go builder handle this ok? I guess it controls the subject's output location when it's compiled.

[asraa]

Does the Go builder handle this ok? I guess it controls the subject's output location when it's compiled.

Good call, checking on this. It doesn't currently enforce that even when setting the output from the config during dry run (it checks if it's under the current working directory, but even a sub-directory would count). Double-checking more.

[ianlewis]

Does the Go builder handle this ok? I guess it controls the subject's output location when it's compiled.

Good call, checking on this. It doesn't currently enforce that even when setting the output from the config during dry run (it checks if it's under the current working directory, but even a sub-directory would count). Double-checking more.

If it's an issue I can follow up later in my day today.

[asraa]

OK, I don't think so. The config could end up setting

binary: ./subdirectory/binary-{{ .Os }}-{{ .Arch }}

and this would be allowed, and would fail on CreateNewFileUnderCurrentDirectory

[ianlewis]

OK, I don't think so. The config could end up setting

binary: ./subdirectory/binary-{{ .Os }}-{{ .Arch }}

and this would be allowed, and would fail on CreateNewFileUnderCurrentDirectory

Yeah, lets go a separate PR for the Go builder.

[laurentsimon]

why not set a default value for the provenance file in https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml#L37?

We could also amend the doc to say it needs to be a top-level file.

[laurentsimon]

I think we may run into problems with the secure-upload-artifact Actions. They currently assume files are in the root folder, I think

[laurentsimon]

edit: we use the upload-artifact, not the secure one so my last comment is wrong

[ianlewis]

why not set a default value for the provenance file in https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml#L37?

I'd argue against this, if just for the fact that users would have to specify the input when the didn't before so it adds friction to upgrading and folks have complained previously about having to add new inputs.

[laurentsimon]

OK, I don't think so. The config could end up setting

binary: ./subdirectory/binary-{{ .Os }}-{{ .Arch }}

and this would be allowed, and would fail on CreateNewFileUnderCurrentDirectory

Yeah, lets go a separate PR for the Go builder.

Let's amend the doc to say the files don't support folders. I have not seen anyone need this feature when using Goreleaser.

[ianlewis]

Let's amend the doc to say the files don't support folders. I have not seen anyone need this feature when using Goreleaser.

I'd say it's reasonable to support it if goreleaser supports it, but we can prioritize it when someone complains.