adds attestors to provenance generation

l3montree-dev · Feb 9, 2025 · ca45795 · ca45795
1 parent bc8462b
commit ca45795
Show file tree

Hide file tree

Showing 3 changed files with 323 additions and 5 deletions.
diff --git a/cmd/devguard-scanner/commands/intoto/intoto_run.go b/cmd/devguard-scanner/commands/intoto/intoto_run.go
@@ -28,6 +28,11 @@ import (
 	"time"
 
 	"github.com/briandowns/spinner"
+	"github.com/in-toto/go-witness/attestation"
+	envAttestor "github.com/in-toto/go-witness/attestation/environment"
+	"github.com/in-toto/go-witness/attestation/git"
+	githubAttestor "github.com/in-toto/go-witness/attestation/github"
+	gitlabAttestor "github.com/in-toto/go-witness/attestation/gitlab"
 	toto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
@@ -164,47 +169,134 @@ func NewInTotoRunCommand() *cobra.Command {
 				return err
 			}
 
-			mb, ok := metadata.(*toto.Metablock)
+			mb, ok := metadata.(*toto.Envelope)
 			if !ok {
 				return errors.New("failed to cast metadata to link")
 			}
 
-			link, ok := mb.Signed.(toto.Link)
+			link, ok := mb.GetPayload().(toto.Link)
 			if !ok {
 				return errors.New("failed to cast metadata to link")
 			}
 
 			subjects := make([]toto.Subject, 0, len(link.Products))
 			for productName, product := range link.Products {
+				digestSet := make(map[string]string)
+				for k, v := range product.(map[string]interface{}) {
+					digestSet[k] = v.(string)
+				}
+
 				subjects = append(subjects, toto.Subject{
 					Name:   productName,
-					Digest: common.DigestSet(product.(map[string]string)),
+					Digest: common.DigestSet(digestSet),
 				})
 			}
 
 			// map the materials to resolved dependencies
 			resolvedDependencies := make([]slsa1.ResourceDescriptor, 0, len(link.Materials))
 			for materialName, material := range link.Materials {
+				digestSet := make(map[string]string)
+				for k, v := range material.(map[string]interface{}) {
+					digestSet[k] = v.(string)
+				}
+
 				resolvedDependencies = append(resolvedDependencies, slsa1.ResourceDescriptor{
 					URI:    fmt.Sprintf("file://%s", materialName), // TODO: Replace with URI of the file in the gitlab repo. Need to get the repo URL from devguard - if set
-					Digest: common.DigestSet(material.(map[string]string)),
+					Digest: common.DigestSet(digestSet),
 				})
 			}
 
+			var attestors []attestation.Attestor = []attestation.Attestor{
+				gitlabAttestor.New(),
+				githubAttestor.New(),
+				envAttestor.New(),
+				git.New(),
+			}
+
+			attestationContext, err := attestation.NewContext(step, attestors)
+			if err != nil {
+				return errors.Wrap(err, "failed to create attestation context")
+			}
+
+			err = attestationContext.RunAttestors()
+			if err != nil {
+				return errors.Wrap(err, "failed to run attestation context")
+			}
+
+			// combine all attestors data into a single map
+			attestorData := make(map[string]any)
+			for _, attestor := range attestors {
+				var m map[string]any
+				b, err := json.Marshal(attestor)
+				if err != nil {
+					continue
+				}
+
+				err = json.Unmarshal(b, &m)
+				if err != nil {
+					continue
+				}
+
+				for k, v := range m {
+					switch v := v.(type) {
+					case string:
+						if v != "" {
+							attestorData[k] = v
+						}
+					default:
+						attestorData[k] = v
+					}
+				}
+			}
+
 			provenance := toto.ProvenanceStatementSLSA1{
 				StatementHeader: toto.StatementHeader{
 					Type:          toto.StatementInTotoV01,
 					PredicateType: slsa1.PredicateSLSAProvenance,
 					Subject:       subjects,
 				},
 				Predicate: slsa1.ProvenancePredicate{
+					RunDetails: slsa1.ProvenanceRunDetails{
+						Builder: slsa1.Builder{
+							ID: "devguard.org",
+						},
+					},
 					BuildDefinition: slsa1.ProvenanceBuildDefinition{
 						ResolvedDependencies: resolvedDependencies,
-						ExternalParameters:   map[string]interface{}{},
+						ExternalParameters:   attestorData,
 					},
 				},
 			}
 
+			// put the provenance into an envelope
+			provenanceEnvelope := toto.Envelope{}
+			err = provenanceEnvelope.SetPayload(provenance)
+			if err != nil {
+				return errors.Wrap(err, "failed to set payload")
+			}
+
+			err = provenanceEnvelope.Sign(key)
+			if err != nil {
+				return errors.Wrap(err, "failed to sign envelope")
+			}
+
+			err = provenanceEnvelope.Dump(fmt.Sprintf("%s.provenance.json", step))
+			if err != nil {
+				return errors.Wrap(err, "failed to dump envelope")
+			}
+
+			// write the provenance to a file
+			provenanceBytes, err := json.MarshalIndent(provenance, "", "  ")
+			if err != nil {
+				return errors.Wrap(err, "failed to marshal provenance")
+			}
+
+			err = os.WriteFile(fmt.Sprintf("%s.provenance.json", step), provenanceBytes, 0644) //nolint:gosec
+
+			if err != nil {
+				return errors.Wrap(err, "failed to write provenance file")
+			}
+
 			err = metadata.Sign(key)
 			if err != nil {
 				return errors.Wrap(err, "failed to sign metadata")

diff --git a/go.mod b/go.mod
@@ -49,33 +49,53 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 // indirect
 	github.com/KyleBanks/depth v1.2.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v1.1.5 // indirect
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/aws/aws-sdk-go v1.50.38 // indirect
+	github.com/bahlo/generic-list-go v0.2.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect
+	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/casbin/govaluate v1.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.5.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.12.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.0 // indirect
 	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dunglas/httpsfv v1.0.2 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.18.0 // indirect
+	github.com/fkautz/omnitrail-go v0.0.0-20230808061951-37d34c23539d // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/glebarez/sqlite v1.11.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/spec v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-sql-driver/mysql v1.8.1 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
@@ -84,17 +104,26 @@ require (
 	github.com/google/go-containerregistry v0.20.3 // indirect
 	github.com/google/go-github/v68 v68.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gosimple/unidecode v1.0.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/in-toto/archivista v0.5.4 // indirect
+	github.com/in-toto/attestation v1.0.2 // indirect
+	github.com/in-toto/go-witness v0.7.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/invopop/jsonschema v0.12.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/labstack/gommon v0.4.2 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
@@ -111,28 +140,55 @@ require (
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mattn/go-sqlite3 v1.14.22 // indirect
 	github.com/microsoft/go-mssqldb v1.8.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/omnibor/omnibor-go v0.0.0-20230521145532-a77de61a16cd // indirect
+	github.com/open-policy-agent/opa v0.68.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/openvex/go-vex v0.2.5 // indirect
+	github.com/owenrumney/go-sarif v1.1.1 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.20.2 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/sigstore/fulcio v1.4.5 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.0 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/spdx/tools-golang v0.5.5 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.1.7 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
+	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/yashtewari/glob-intersection v0.2.0 // indirect
+	github.com/zclconf/go-cty v1.14.4 // indirect
+	github.com/zeebo/errs v1.3.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/otel v1.33.0 // indirect
+	go.opentelemetry.io/otel/metric v1.33.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.33.0 // indirect
+	go.opentelemetry.io/otel/trace v1.33.0 // indirect
 	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
 	golang.org/x/net v0.34.0 // indirect
@@ -142,16 +198,26 @@ require (
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	golang.org/x/tools v0.29.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250127172529-29210b9bc287 // indirect
 	google.golang.org/grpc v1.70.0 // indirect
 	google.golang.org/protobuf v1.36.4 // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gorm.io/driver/mysql v1.5.7 // indirect
 	gorm.io/driver/sqlserver v1.5.4 // indirect
 	gorm.io/plugin/dbresolver v1.5.3 // indirect
+	k8s.io/apimachinery v0.30.7 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/utils v0.0.0-20240423183400-0849a56e8f22 // indirect
 	modernc.org/libc v1.61.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.8.2 // indirect
 	modernc.org/sqlite v1.34.5 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )