Fix issue when reading *IMAGE_URL / *IMAGE_DIGEST type hint results w…

…hen two or more tasks/steps are using the same prefix.
tektoncd · May 22, 2024 · 7a1ee59 · 7a1ee59
1 parent e72c6e7
commit 7a1ee59
Show file tree

Hide file tree

Showing 5 changed files with 298 additions and 135 deletions.
diff --git a/pkg/artifacts/signable.go b/pkg/artifacts/signable.go
@@ -299,14 +299,7 @@ func ExtractStructuredTargetFromResults(ctx context.Context, objResults []object
 	}
 
 	// TODO(#592): support structured results using Run
-	results := []objects.Result{}
 	for _, res := range objResults {
-		results = append(results, objects.Result{
-			Name:  res.Name,
-			Value: res.Value,
-		})
-	}
-	for _, res := range results {
 		if strings.HasSuffix(res.Name, categoryMarker) {
 			valid, err := isStructuredResult(res, categoryMarker)
 			if err != nil {

diff --git a/pkg/chains/formats/slsa/v2alpha4/internal/pipelinerun/pipelinerun.go b/pkg/chains/formats/slsa/v2alpha4/internal/pipelinerun/pipelinerun.go
@@ -51,23 +51,18 @@ func GenerateAttestation(ctx context.Context, pro *objects.PipelineRunObjectV1,
 	return provenance.GetSLSA1Statement(pro, sub, &bd, bp, slsaconfig)
 }
 
-// byproducts contains the pipelineRunResults
+// byproducts contains the pipelineRunResults that are not subjects.
 func byproducts(pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) ([]*intoto.ResourceDescriptor, error) {
-	byProd := []*intoto.ResourceDescriptor{}
-
-	res, err := results.GetResultsWithoutBuildArtifacts(pro.GetResults(), pipelineRunResults)
+	byProd, err := results.GetResultsWithoutBuildArtifacts(pro.GetResults(), pipelineRunResults)
 	if err != nil {
 		return nil, err
 	}
-	byProd = append(byProd, res...)
 
 	if !slsaconfig.DeepInspectionEnabled {
 		return byProd, nil
 	}
 
-	tros := pro.GetExecutedTasks()
-
-	for _, tro := range tros {
+	for _, tro := range pro.GetExecutedTasks() {
 		taskProds, err := taskrun.ByProducts(tro)
 		if err != nil {
 			return nil, err
@@ -79,11 +74,15 @@ func byproducts(pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaCon
 }
 
 func subjectDigests(ctx context.Context, pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
-	results := pro.GetResults()
+	subjects := extract.SubjectsFromBuildArtifact(ctx, pro.GetResults())
+
+	if !slsaconfig.DeepInspectionEnabled {
+		return subjects
+	}
 
-	if slsaconfig.DeepInspectionEnabled {
-		results = append(results, pro.GetTaskAndStepResults()...)
+	for _, task := range pro.GetExecutedTasks() {
+		subjects = append(subjects, taskrun.SubjectDigests(ctx, task)...)
 	}
 
-	return extract.SubjectsFromBuildArtifact(ctx, results)
+	return subjects
 }