v1

package

v1.0.0 Latest Latest Go to latest Published: May 11, 2023 License: Apache-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/project-oak/transparent-release

Links

Open Source Insights

Documentation ¶

Overview ¶

Package v1 contains structs representing SLSA provenance v1.0.

Index ¶

Constants
func BuildCmd(predicate ProvenancePredicate) []string
func BuilderID(predicate ProvenancePredicate) string
func BuilderImageDigest(predicate ProvenancePredicate) (string, error)
func GitURI(predicate ProvenancePredicate) []string
type BuildConfig
type BuildMetadata
type Builder
type DockerBasedExternalParameters
type ProvenanceBuildDefinition
type ProvenancePredicate
- func ParseContainerBasedSLSAv1Provenance(predicate interface{}) (*ProvenancePredicate, error)
type ProvenanceRunDetails
type ResourceDescriptor

Constants ¶

View Source

const (
	// PredicateSLSAProvenance is the predicate type of a SLSA v1 provenance.
	PredicateSLSAProvenance = "https://slsa.dev/provenance/v1"

	// PredicateSLSAProvenanceDraft is the predicate type of an earlier draft of SLSA v1 provenance.
	PredicateSLSAProvenanceDraft = "https://slsa.dev/provenance/v1.0?draft"

	// DockerBasedBuildType is the build type of container-based builds.
	DockerBasedBuildType = "https://slsa.dev/container-based-build/v0.1?draft"
)

Variables ¶

This section is empty.

Functions ¶

func BuildCmd ¶

func BuildCmd(predicate ProvenancePredicate) []string

BuildCmd extracts and returns the build command from the given ProvenancePredicate.

func BuilderID ¶

func BuilderID(predicate ProvenancePredicate) string

BuilderID extracts and returns the builder ID from the given ProvenancePredicate.

func BuilderImageDigest ¶

func BuilderImageDigest(predicate ProvenancePredicate) (string, error)

BuilderImageDigest extracts and returns the digest for the Builder Image.

Types ¶

type BuildConfig ¶

type BuildConfig struct {
	// The path, relative to the root of the git repository, where the artifact
	// built by the `docker run` command is expected to be found.
	ArtifactPath string `toml:"artifact_path"`

	// Build command that is passed to `docker run`.
	Command []string `toml:"command"`
}

BuildConfig is a collection of parameters to use for building the artifact in a container-based build.

type BuildMetadata ¶

type BuildMetadata struct {
	// Identifies this particular build invocation, which can be useful for
	// finding associated logs or other ad-hoc analysis. The exact meaning and
	// format is defined by builder.id; by default it is treated as opaque and
	// case-sensitive. The value SHOULD be globally unique.
	InvocationID string `json:"invocationID,omitempty"`

	// The timestamp of when the build started.
	StartedOn *time.Time `json:"startedOn,omitempty"`

	// The timestamp of when the build completed.
	FinishedOn *time.Time `json:"finishedOn,omitempty"`
}

type Builder ¶

type Builder struct {
	// URI indicating the transitive closure of the trusted builder.
	ID string `json:"id"`

	// Version numbers of components of the builder.
	Version map[string]string `json:"version,omitempty"`

	// Dependencies used by the orchestrator that are not run within the
	// workload and that do not affect the build, but might affect the
	// provenance generation or security guarantees.
	BuilderDependencies []ResourceDescriptor `json:"builderDependencies,omitempty"`
}

Builder represents the transitive closure of all the entities that are, by necessity, trusted to faithfully run the build and record the provenance.

type DockerBasedExternalParameters ¶

type DockerBasedExternalParameters struct {
	// The source GitHub repo
	Source ResourceDescriptor `json:"source"`

	// The Docker builder image
	BuilderImage ResourceDescriptor `json:"builderImage"`

	// Path to a configuration file relative to the root of the repository.
	ConfigPath string `json:"configPath"`

	// Unpacked build config parameters
	Config BuildConfig `json:"buildConfig"`
}

DockerBasedExternalParameters is a representation of the top level inputs to a container-based build.

type ProvenanceBuildDefinition ¶

type ProvenanceBuildDefinition struct {
	// A human-readable URI identifying the template for how to perform the
	// build and interpret the parameters and dependencies.
	BuildType string `json:"buildType"`

	// Parameters that are under external control, such as those set by a user.
	ExternalParameters interface{} `json:"externalParameters"`

	// Parameters that are under the control of the entity represented by
	// builder.id.
	InternalParameters interface{} `json:"internalParameters,omitempty"`

	// Unordered collection of artifacts needed at build time.
	ResolvedDependencies []ResourceDescriptor `json:"resolvedDependencies,omitempty"`
}

ProvenanceBuildDefinition describes all inputs to the build.

type ProvenancePredicate ¶

type ProvenancePredicate struct {
	// The BuildDefinition describes all of the inputs to the build.
	BuildDefinition ProvenanceBuildDefinition `json:"buildDefinition"`

	// The RunDetails describes this particular execution of the build.
	RunDetails ProvenanceRunDetails `json:"runDetails"`
}

ProvenancePredicate defines the structure of a SLSA v1 provenance predicate. See the specification in https://slsa.dev/spec/v1.0/.

func ParseContainerBasedSLSAv1Provenance ¶

func ParseContainerBasedSLSAv1Provenance(predicate interface{}) (*ProvenancePredicate, error)

ParseContainerBasedSLSAv1Provenance parses the given object as a ProvenancePredicate, with its BuildDefinition.ExternalParameters parsed into an instance of DockerBasedExternalParameters. Returns an error if any of the conversions is unsuccessful.

type ProvenanceRunDetails ¶

type ProvenanceRunDetails struct {
	// Identifies the entity that executed the build.
	Builder Builder `json:"builder"`

	// Metadata about this particular execution of the build.
	BuildMetadata BuildMetadata `json:"metadata,omitempty"`

	// Additional artifacts generated during the build that are not considered
	// the “output” of the build but that might be needed during debugging or
	// incident response.
	Byproducts []ResourceDescriptor `json:"byproducts,omitempty"`
}

ProvenanceRunDetails includes details specific to a particular execution of a build.

type ResourceDescriptor ¶

type ResourceDescriptor struct {
	// A URI used to identify the resource globally. This field is REQUIRED
	// unless either digest or content is set.
	URI string `json:"uri,omitempty"`

	// A set of cryptographic digests of the contents of the resource. This
	// field is REQUIRED unless either uri or content is set.
	Digest intoto.DigestSet `json:"digest,omitempty"`

	// Machine-readable identifier for distinguishing between descriptors.
	Name string `json:"name,omitempty"`

	// Location of the described resource, if different from the uri.
	DownloadLocation string `json:"downloadLocation,omitempty"`

	// The MIME Type (i.e., media type) of the described resource.
	MediaType string `json:"mediaType,omitempty"`

	// The contents of the resource. This field is REQUIRED unless either uri
	// or digest is set.
	Content []byte `json:"content,omitempty"`

	// This field MAY be used to provide additional information or metadata
	// about the resource that may be useful to the consumer when evaluating
	// the attestation against a policy.
	Annotations map[string]interface{} `json:"annotations,omitempty"`
}

ResourceDescriptor describes a particular software resource.

Source Files ¶

View all Source files

provenance.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL