Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/golangci-lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,4 @@ jobs:
- name: Run golangci-lint
uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9.3.0
with:
version: v2.11
version: v2.12
5 changes: 4 additions & 1 deletion .golangci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ linters:
- godox
- goheader
- gomoddirectives
- gomodguard
- gomodguard_v2
- goprintffuncname
- gosec
- gosmopolitan
Expand Down Expand Up @@ -110,6 +110,9 @@ linters:
- zerologlint

settings:
goconst:
# Repeated literals in table driven tests don't warrant constants.
ignore-tests: true
gocyclo:
min-complexity: 35
godox:
Expand Down
15 changes: 9 additions & 6 deletions internal/cmd/audit.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,34 @@ const (
const (
statusPassed = "passed"
statusFailed = "failed"

auditModeBasicName = "basic"
auditModeFullName = "full"
)

// Enable audit mode enum
// String is used both by fmt.Print and by Cobra in help text
func (e *AuditMode) String() string {
switch *e {
case AuditModeBasic:
return "basic"
return auditModeBasicName
case AuditModeFull:
return "full"
return auditModeFullName
}
return "error"
}

// Set must have pointer receiver so it doesn't change the value of a copy
func (e *AuditMode) Set(v string) error {
switch v {
case "basic":
case auditModeBasicName:
*e = AuditModeBasic
return nil
case "full":
case auditModeFullName:
*e = AuditModeFull
return nil
default:
return errors.New(`must be one of "foo", "bar", or "moo"`)
return fmt.Errorf("must be one of %q or %q", auditModeBasicName, auditModeFullName)
}
}

Expand Down Expand Up @@ -119,7 +122,7 @@ func addAudit(parentCmd *cobra.Command) {
opts := &auditOpts{}
auditCmd := &cobra.Command{
Use: "audit",
GroupID: "verification",
GroupID: cmdGroupVerification,
Short: "Verifies multiple commits in the branch history",
Long: `Checks the revisions on the specified branch within the repository.

Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ var colorHiRed = color.New(color.FgHiRed).SprintFunc()

func addAuth(parentCmd *cobra.Command) {
authCmd := &cobra.Command{
GroupID: "configuration",
GroupID: cmdGroupConfiguration,
Short: "Manage user authentication",
Use: "auth",
SilenceUsage: false,
Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/checklevel.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ func addCheckLevel(parentCmd *cobra.Command) {

checklevelCmd := &cobra.Command{
Use: "checklevel",
GroupID: "assessment",
GroupID: cmdGroupAssessment,
Short: "Determines the SLSA Source Level of the repo",
Long: `Determines the SLSA Source Level of the repo.

Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/checklevelprov.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ func addCheckLevelProv(parentCmd *cobra.Command) {

checklevelprovCmd := &cobra.Command{
Use: "checklevelprov",
GroupID: "assessment",
GroupID: cmdGroupAssessment,
Example: `sourcetool checklevelprov owner/repo --push=note`,
Short: "Checks the given commit against policy using & creating provenance",
Long: `Checks the given commit against policy using & creating provenance.
Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/checktag.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func addCheckTag(parentCmd *cobra.Command) {

checktagCmd := &cobra.Command{
Use: "checktag",
GroupID: "assessment",
GroupID: cmdGroupAssessment,
Short: "Checks to see if the tag operation should be allowed and issues a VSA",
PreRunE: func(cmd *cobra.Command, args []string) error {
if len(args) > 0 {
Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/createpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ func addCreatePolicy(parentCmd *cobra.Command) {

createpolicyCmd := &cobra.Command{
Use: "createpolicy",
GroupID: "policy",
GroupID: cmdGroupPolicy,
Short: "Creates a policy in a local copy of source-policies",
Long: `Creates a SLSA source policy in a local copy of source-policies.

Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ func (pco *policyCreateOpts) AddFlags(cmd *cobra.Command) {

func addPolicy(parentCmd *cobra.Command) {
policyCmd := &cobra.Command{
GroupID: "policy",
GroupID: cmdGroupPolicy,
Short: "tools to work with source policies",
Long: fmt.Sprintf(`
%s %s
Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/prov.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ func addProv(parentCmd *cobra.Command) {
opts := provOptions{}
provCmd := &cobra.Command{
Use: "prov",
GroupID: "assessment",
GroupID: cmdGroupAssessment,
Short: "Creates provenance for the given commit, but does not check policy.",
PreRunE: func(cmd *cobra.Command, args []string) error {
if len(args) > 0 {
Expand Down
25 changes: 11 additions & 14 deletions internal/cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,13 @@ import (

var githubToken string

// func getVerifier(vo *verifierOptions) attest.Verifier {
// options := attest.DefaultVerifierOptions
// if vo.expectedIssuer != "" {
// options.ExpectedIssuer = vo.expectedIssuer
// }
// if vo.expectedSan != "" {
// options.ExpectedSan = vo.expectedSan
// }
// return attest.NewBndVerifier(options)
// }
// Command group IDs used to organize the subcommands in the help screen.
const (
cmdGroupVerification = "verification"
cmdGroupAssessment = "assessment"
cmdGroupPolicy = "policy"
cmdGroupConfiguration = "configuration"
)

// exitError wraps an error together with an exit code so commands can
// signal other failuresdistinct from a generic failure (exit 1).
Expand Down Expand Up @@ -58,19 +55,19 @@ controls and much more.
// Define command groups for better organization
rootCmd.AddGroup(
&cobra.Group{
ID: "verification",
ID: cmdGroupVerification,
Title: "Verification Commands:",
},
&cobra.Group{
ID: "assessment",
ID: cmdGroupAssessment,
Title: "Assessment Commands:",
},
&cobra.Group{
ID: "policy",
ID: cmdGroupPolicy,
Title: "Policy Commands:",
},
&cobra.Group{
ID: "configuration",
ID: cmdGroupConfiguration,
Title: "Configuration & Setup Commands:",
},
)
Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/setup.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ func (so *setupOpts) Validate() error {

func addSetup(parentCmd *cobra.Command) {
setupCmd := &cobra.Command{
GroupID: "configuration",
GroupID: cmdGroupConfiguration,
Short: "configure SLSA source features in a repository",
Long: fmt.Sprintf(`
%s %s
Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/status.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func (so *statusOptions) AddFlags(cmd *cobra.Command) {
func addStatus(parentCmd *cobra.Command) {
opts := &statusOptions{}
statusCmd := &cobra.Command{
GroupID: "assessment",
GroupID: cmdGroupAssessment,
Short: "Check the SLSA Source status of a repo/branch",
Long: `
sourcetool status: Check the SLSA Source status of a repo/branch
Expand Down
12 changes: 9 additions & 3 deletions internal/cmd/verifycommit.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ type verifyCommitOptions struct {
revisionOpts
}

// Ref types reported in the verification results
const (
refTypeBranch = "branch"
refTypeTag = "tag"
)

// VerifyCommitResult represents the result of a commit verification
type VerifyCommitResult struct {
Success bool `json:"success"`
Expand Down Expand Up @@ -58,7 +64,7 @@ func addVerifyCommit(cmd *cobra.Command) {
opts := verifyCommitOptions{}
verifyCommitCmd := &cobra.Command{
Use: "verifycommit",
GroupID: "verification",
GroupID: cmdGroupVerification,
Short: "Verifies the specified commit is valid",
PreRunE: func(cmd *cobra.Command, args []string) error {
if len(args) > 0 {
Expand Down Expand Up @@ -101,10 +107,10 @@ func addVerifyCommit(cmd *cobra.Command) {
var refName string
switch {
case opts.branch != "":
refType = "branch"
refType = refTypeBranch
refName = opts.branch
case opts.tag != "":
refType = "tag"
refType = refTypeTag
refName = opts.tag
default:
return fmt.Errorf("must specify either branch or tag")
Expand Down
2 changes: 1 addition & 1 deletion pkg/attest/attester.go
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ func addPredToStatement(provPred proto.Message, predicateType, commit string) (*
}

sub := []*intoto.ResourceDescriptor{{
Digest: map[string]string{"gitCommit": commit},
Digest: map[string]string{models.DigestTypeGitCommit: commit},
}}

var predPb structpb.Struct
Expand Down
4 changes: 2 additions & 2 deletions pkg/attest/statement.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,12 +48,12 @@ func GetSubjectForCommit(att attestation.Envelope, commit *models.Commit) *intot
if !ok {
continue
}
val, ok := rd.GetDigest()["gitCommit"]
val, ok := rd.GetDigest()[models.DigestTypeGitCommit]
if ok && val == commit.SHA {
return rd
}

if val, ok = rd.GetDigest()["sha1"]; ok && val == commit.SHA {
if val, ok = rd.GetDigest()[models.DigestTypeSha1]; ok && val == commit.SHA {
fromSha = rd
}
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/attest/vsa.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func createUnsignedSourceVsaAllParams(branch *models.Branch, commit *models.Comm
return "", fmt.Errorf("creating struct from map: %w", err)
}
sub := []*spb.ResourceDescriptor{{
Digest: map[string]string{"gitCommit": commit.SHA},
Digest: map[string]string{models.DigestTypeGitCommit: commit.SHA},
Annotations: annotationStruct,
}}

Expand Down
8 changes: 6 additions & 2 deletions pkg/policy/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ const (
SourcePolicyUri = "github.com/slsa-framework/source-policies"
SourcePolicyRepoOwner = "slsa-framework"
SourcePolicyRepo = "source-policies"

// DefaultPolicyPath is the policy path reported when a branch is
// evaluated using the default policy.
DefaultPolicyPath = "DEFAULT"
)

// Returns the policy for the branch or nil if the branch doesn't have one.
Expand Down Expand Up @@ -635,7 +639,7 @@ func (pe *PolicyEvaluator) EvaluateControl(ctx context.Context, repo *models.Rep
branchPolicy := rp.GetBranchPolicy(branch.Name)
if branchPolicy == nil {
branchPolicy = createDefaultBranchPolicy(branch)
policyPath = "DEFAULT"
policyPath = DefaultPolicyPath
}

if controlStatus.Time.Before(branchPolicy.GetSince().AsTime()) {
Expand Down Expand Up @@ -675,7 +679,7 @@ func (pe *PolicyEvaluator) EvaluateSourceProv(ctx context.Context, repo *models.
branchPolicy := rp.GetBranchPolicy(branch.Name)
if branchPolicy == nil {
branchPolicy = createDefaultBranchPolicy(branch)
policyPath = "DEFAULT"
policyPath = DefaultPolicyPath
}

verifiedLevels, shortfall, err := evaluateBranchControls(branchPolicy, rp.GetProtectedTag(), slsa.NewControlSetFromProvanenaceControls(provPred.GetControls()))
Expand Down
6 changes: 3 additions & 3 deletions pkg/sourcetool/implementation.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ func (impl *defaultToolImplementation) CreatePolicyPR(a *auth.Authenticator, opt
}

policyRepo := &models.Repository{
Hostname: "github.com",
Hostname: githubHostname,
Path: fmt.Sprintf("%s/%s", policyRepoOwner, policyRepoName),
DefaultBranch: "main",
}
Expand Down Expand Up @@ -163,7 +163,7 @@ func (impl *defaultToolImplementation) CheckForks(opts *options.Options) error {
func (impl *defaultToolImplementation) CheckPolicyFork(opts *options.Options) error {
manager := repo.NewPullRequestManager()
if _, err := manager.CheckFork(&models.Repository{
Hostname: "github.com", Path: opts.PolicyRepo,
Hostname: githubHostname, Path: opts.PolicyRepo,
}, ""); err != nil {
return err
}
Expand Down Expand Up @@ -248,7 +248,7 @@ func (impl *defaultToolImplementation) GetPolicyStatus(

host := r.Hostname
if host == "" {
host = "github.com"
host = githubHostname
}
prNr, err := impl.SearchPullRequest(ctx, a, &models.Repository{
Hostname: host,
Expand Down
8 changes: 7 additions & 1 deletion pkg/sourcetool/models/models.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ const (
CONFIG_TAG_RULES ControlConfiguration = "CONFIG_TAG_RULES"
)

// Digest algorithm names used in attestation subjects
const (
DigestTypeGitCommit = "gitCommit"
DigestTypeSha1 = "sha1"
)

type Commit struct {
SHA string
Author string
Expand Down Expand Up @@ -101,7 +107,7 @@ func (c *Commit) GetCommit() *Commit {
func (c *Commit) ToResourceDescriptor() *attestation.ResourceDescriptor {
return &attestation.ResourceDescriptor{
Digest: map[string]string{
"sha1": c.SHA, "gitCommit": c.SHA,
DigestTypeSha1: c.SHA, DigestTypeGitCommit: c.SHA,
},
}
}
Expand Down
5 changes: 4 additions & 1 deletion pkg/sourcetool/tool.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ var ControlConfigurations = []models.ControlConfiguration{
models.CONFIG_POLICY, models.CONFIG_GEN_PROVENANCE, models.CONFIG_BRANCH_RULES, models.CONFIG_TAG_RULES,
}

// githubHostname is the hostname of the VCS system sourcetool supports (for now)
const githubHostname = "github.com"

// New initializes a new source tool instance.
func New(funcs ...ConfigFn) (*Tool, error) {
t := &Tool{
Expand Down Expand Up @@ -194,7 +197,7 @@ func (t *Tool) FindPolicyPR(ctx context.Context, repo *models.Repository) (*mode
}

pr, err := t.impl.SearchPullRequest(ctx, t.Authenticator, &models.Repository{
Hostname: "github.com",
Hostname: githubHostname,
Path: fmt.Sprintf("%s/%s", policyRepoOwner, policyRepoRepo),
}, fmt.Sprintf("Add %s SLSA Source policy file", repo.Path))
if err != nil {
Expand Down
Loading