Add attestor options

Signed-off-by: John Kjell <john@testifysec.com>
testifysec · Jun 16, 2024 · 41c2e29 · 41c2e29
1 parent 23e259b
commit 41c2e29
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 42 deletions.
diff --git a/.github/workflows/test_action.yml b/.github/workflows/test_action.yml
@@ -23,3 +23,4 @@ jobs:
           enable-sigstore: true
           enable-archivista: true
           attestations: environment git github slsa
+          attestor-slsa-export: true
diff --git a/action.yml b/action.yml
@@ -9,6 +9,21 @@ inputs:
     description: "Attestations to record"
     required: false
     default: "environment git github"
+  attestor-link-export:
+    description: "Export the attestor link predicate in its own attestation"
+    required: false
+    default: "false"
+  attestor-maven-pom-path:
+    description: "Path to the Maven POM file"
+    required: false
+  attestor-sbom-export:
+    description: "Export the SBOM predicate in its own attestation"
+    required: false
+    default: "false"
+  attestor-slsa-export:
+    description: "Export the SLSA predicate in its own attestation"
+    required: false
+    default: "false"
   enable-sigstore:
     description: 'Use Sigstore for attestation'
     required: false
@@ -66,7 +81,7 @@ inputs:
   version:
     description: "Version of Witness CLI"
     required: false
-    default: "0.4.0-beta"
+    default: "0.5.2"
   workingdir:
     description: "Directory from which commands will run"
     required: false

diff --git a/dist/index.js b/dist/index.js
@@ -30533,6 +30533,11 @@ async function run() {
   const enableSigstore = core.getInput("enable-sigstore") === "true";
   const command = core.getInput("command");
 
+  const exportLink = core.getInput("attestor-link-export") === "true";
+  const exportSBOM = core.getInput("attestor-sbom-export") === "true";
+  const exportSLSA = core.getInput("attestor-slsa-export") === "true";
+  const mavenPOM = core.getInput("attestor-maven-pom-path");
+
   const cmd = ["run"];
 
   if (enableSigstore) {
@@ -30552,6 +30557,12 @@ async function run() {
     });
   }
 
+  if (exportLink) cmd.push(`--attestor-link-export`);
+  if (exportSBOM) cmd.push(`--attestor-sbom-export`);
+  if (exportSLSA) cmd.push(`--attestor-slsa-export`);
+
+  if (mavenPOM) cmd.push(`--attestor-maven-pom-path=${mavenPOM}`);
+
   if (certificate) cmd.push(`--certificate=${certificate}`);
   if (enableArchivista) cmd.push(`--enable-archivista=${enableArchivista}`);
   if (fulcio) cmd.push(`--signer-fulcio-url=${fulcio}`);
@@ -30618,63 +30629,68 @@ async function run() {
     },
   });
 
-  // Find the Git OID from the output
-  const gitOID = extractDesiredGitOID(output);
-  console.log("Extracted Git OID:", gitOID);
+  // Find the GitOID from the output
+  const gitOIDs = extractDesiredGitOIDs(output);
 
-  // Print the Git OID to the output
-  core.setOutput("git_oid", gitOID);
+  for (const gitOID of gitOIDs) {
+    console.log("Extracted GitOID:", gitOID);
 
-  // Construct the artifact URL using Archivista server and Git OID
-  const artifactURL = `${archivistaServer}/download/${gitOID}`;
+    // Print the GitOID to the output
+    core.setOutput("git_oid", gitOID);
 
-  // Add Job Summary with Markdown content
-  const summaryHeader = `
-## Attestations Created
-| Step | Attestors Run | Attentation OID
-| --- | --- | --- |
-`;
+    // Construct the artifact URL using Archivista server and GitOID
+    const artifactURL = `${archivistaServer}/download/${gitOID}`;
 
-  // Read the contents of the file
-  const summaryFile = fs.readFileSync(process.env.GITHUB_STEP_SUMMARY, {
-    encoding: "utf-8",
-  });
+    // Add Job Summary with Markdown content
+    const summaryHeader = `
+  ## Attestations Created
+  | Step | Attestors Run | Attestation GitOID
+  | --- | --- | --- |
+  `;
 
-  // Check if the file contains the header
-  const headerExists = summaryFile.includes(summaryHeader.trim());
+    // Read the contents of the file
+    const summaryFile = fs.readFileSync(process.env.GITHUB_STEP_SUMMARY, {
+      encoding: "utf-8",
+    });
 
-  // If the header does not exist, append it to the file
-  if (!headerExists) {
-    fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, summaryHeader);
-  }
+    // Check if the file contains the header
+    const headerExists = summaryFile.includes(summaryHeader.trim());
 
-  // Construct the table row for the current step
-  const tableRow = `| ${step} | ${attestations.join(
-    ", "
-  )} | [${gitOID}](${artifactURL}) |\n`;
+    // If the header does not exist, append it to the file
+    if (!headerExists) {
+      fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, summaryHeader);
+    }
 
-  // Append the table row to the file
-  fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, tableRow);
+    // Construct the table row for the current step
+    const tableRow = `| ${step} | ${attestations.join(
+      ", "
+    )} | [${gitOID}](${artifactURL}) |\n`;
 
+    // Append the table row to the file
+    fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, tableRow);
+  }
   exit(0);
 }
 
-function extractDesiredGitOID(output) {
+function extractDesiredGitOIDs(output) {
   const lines = output.split("\n");
   const desiredSubstring = "Stored in archivista as ";
 
-  console.log("Looking for Git OID in the output")
+  const matchArray = [];
+  console.log("Looking for GitOID in the output")
   for (const line of lines) {
     const startIndex = line.indexOf(desiredSubstring);
     if (startIndex !== -1) {
       console.log("Checking line: ", line)
       const match = line.match(/[0-9a-fA-F]{64}/);
       if (match) {
-        console.log("Found Git OID: ", match[0])
-        return match[0];
+        console.log("Found GitOID: ", match[0])
+        matchArray.push(match[0]);
       }
     }
   }
+
+  return matchArray;
 }
 
 run();

diff --git a/index.js b/index.js
@@ -60,6 +60,11 @@ async function run() {
   const enableSigstore = core.getInput("enable-sigstore") === "true";
   const command = core.getInput("command");
 
+  const exportLink = core.getInput("attestor-link-export") === "true";
+  const exportSBOM = core.getInput("attestor-sbom-export") === "true";
+  const exportSLSA = core.getInput("attestor-slsa-export") === "true";
+  const mavenPOM = core.getInput("attestor-maven-pom-path");
+
   const cmd = ["run"];
 
   if (enableSigstore) {
@@ -79,6 +84,12 @@ async function run() {
     });
   }
 
+  if (exportLink) cmd.push(`--attestor-link-export`);
+  if (exportSBOM) cmd.push(`--attestor-sbom-export`);
+  if (exportSLSA) cmd.push(`--attestor-slsa-export`);
+
+  if (mavenPOM) cmd.push(`--attestor-maven-pom-path=${mavenPOM}`);
+
   if (certificate) cmd.push(`--certificate=${certificate}`);
   if (enableArchivista) cmd.push(`--enable-archivista=${enableArchivista}`);
   if (fulcio) cmd.push(`--signer-fulcio-url=${fulcio}`);
@@ -145,22 +156,22 @@ async function run() {
     },
   });
 
-  // Find the Git OID from the output
+  // Find the GitOID from the output
   const gitOIDs = extractDesiredGitOIDs(output);
 
   for (const gitOID of gitOIDs) {
-    console.log("Extracted Git OID:", gitOID);
+    console.log("Extracted GitOID:", gitOID);
 
-    // Print the Git OID to the output
+    // Print the GitOID to the output
     core.setOutput("git_oid", gitOID);
 
-    // Construct the artifact URL using Archivista server and Git OID
+    // Construct the artifact URL using Archivista server and GitOID
     const artifactURL = `${archivistaServer}/download/${gitOID}`;
 
     // Add Job Summary with Markdown content
     const summaryHeader = `
   ## Attestations Created
-  | Step | Attestors Run | Attentation OID
+  | Step | Attestors Run | Attestation GitOID
   | --- | --- | --- |
   `;
 
@@ -193,14 +204,14 @@ function extractDesiredGitOIDs(output) {
   const desiredSubstring = "Stored in archivista as ";
 
   const matchArray = [];
-  console.log("Looking for Git OID in the output")
+  console.log("Looking for GitOID in the output")
   for (const line of lines) {
     const startIndex = line.indexOf(desiredSubstring);
     if (startIndex !== -1) {
       console.log("Checking line: ", line)
       const match = line.match(/[0-9a-fA-F]{64}/);
       if (match) {
-        console.log("Found Git OID: ", match[0])
+        console.log("Found GitOID: ", match[0])
         matchArray.push(match[0]);
       }
     }

diff --git a/package.json b/package.json
@@ -3,7 +3,8 @@
     "version": "1.0.0",
     "main": "index.js",
     "scripts": {
-      "test": "echo \"Error: no test specified\" && exit 1"
+      "test": "echo \"Error: no test specified\" && exit 1",
+      "build": "ncc build index.js --license licenses.txt"
     },
     "keywords": [],
     "author": "",