Defining a generalized predicate format for "human reviews" of artifacts #77
Comments
|
I suggest first create a list of possible policies, some examples that are inline with your thoughts. Additions are welcomed. (in parenthesis - requirements from the code review predicate):
At the predicated level:
Regarding using the same attestation for code reviews and for code-scanning:
Regarding the artifact information: |
It is! In my mind, I was trying to separate out the types of artifacts. IMO files and packages have some reasonable answers, but I'm more curious about diffs/patches/changes. I think we can lean on VCS semantics here, either service-specific (ITE-4 resolvers for GitHub PRs) or agnostic (git commit ranges).
I think this makes sense, and we can likely bundle all the meta-information here.
Hmm, this is interesting. I was visualizing something more along the lines of "this is approved" after several iterations have addressed reviewer points. I do wonder how this would work when commit-history is rewritten (say squashed) pre-merge, and if we could still connect the different attestations in such cases.
This makes sense, and something to attach to the policy for reviews as well :)
I think I agree, given the type of CR attestation you have in mind vs what I was thinking of. I'm interested to hear what other folks have in mind too. |
|
I agree with @dn-scribe that it probably doesn't make sense to combine vuln scans and code reviews in a single type. I also agree that leaning on the VCS (or code review system) semantics for code review makes sense. In my mind each could have been separate 'types'. Is the desire to have a generic way to determine if a given commit was reviewed regardless of the VCS/review system used? Where do you imagine the code review attestations being used? Would they be used: a) when looking at a source control system to see what was reviewed and what wasn't? If 'b' then how does the evaluator ever know that all the source was reviewed vs just bits and pieces? I think there may be some overlap with #47 which aims to help solve 'b' but doesn't do much for 'a'. (I should update that with our proposal today, it's been too long) |
|
I wouldn't combine vuln scans (since those are automated scans), however, I think there's value in a base "human reviewed artifact and the outcome was X" that can be used as-is or specialized when there is a need for X to be more structured. For example, we may want to capture that a threat model was reviewed, this may be a code review, but it may also be outside (such as a document or presentation). There are also reviews of people's identification, organization's certifications, service's terms of service, etc. that organizations may want to be able to capture as attestations. Code review attestations can then specialize this by constraining the artifact and providing a code-review specific structure to capture the outcome. |
|
Given the consensus about handling vuln scans and the like independently, I'm going to generalize this to handle "human reviews", as @iamwillbar suggested. I'll rewrite the original issue to reflect this.
In my mind, I think we can lean on ITE-4 semantics here, and talk in abstract, VCS-agnostic terms when defining how CRs for a particular change work. I've primarily used git, and I'm guessing mercurial is a system we want to consider (and others?). A quick look at the git-mercurial rosetta seemed to indicate that this could work for these systems at least, what do you think?
Would VCS semantics help here? We could capture the source being built against a checkpoint in the VCS, and cross reference with code reviews available? We'd have to be smart about connecting differential CRs. We'd also have to be sure that connecting a series of CRs mapped to changes is sufficient as a review of the codebase as a whole at that checkpoint. I suspect it is, and matches the typical workflow.
I'd love broader community input here, specifically for corporate use cases. I personally see this as fulfilling the SLSA two-party review requirements, using a threshold of CR attestations to sign off on changes. |
adityasaky
changed the title
I suspect we might need to consider both VCS semantics as well as the code review system semantics. My understanding is that Gerrit and GitHub reviews work differently. Is that right?
I'd be wary of just taking this approach. For repos that are old and have had lots of reviews that could result in thousands of attestations for each repo that need to be evaluated at the time of use. The verifier would also need to have access to all those attestations and propagating them all through CI/CD would probably be infeasible. That being said I do think this could be used very effectively to audit a repo and make sure it's living up to what it says it's doing. E.g. use this approach (attestation for each review) in combination with #47 (comment) (which only has the repo claim "hey everything in this repo requires 2 party review") could be very effective. With #47 (comment) systems can easily and quickly make decisions about artifacts without having to communicate thousands of attestations, while the attestation-per-review (as discussed here) approach allows for automated auditing of repos and much more information about the individual reviews. WDYT? |
I actually plan to use some time this coming break to review some of the popular systems / services to understand how much we can abstract. I should have a better answer then.
That's a great point. I do wonder if we can use something akin to a summary link, but instead to replace some significant number of CR attestations. The summary would identify the attestations it has replaced as well as the checkpoint it applies to, and without getting too much into the implementation of this, I could see the replaced attestations being fetched from a Rekor instance or a Grafeas server perhaps for further validation when necessary.
I think this is sane. |
I currently think we can use VCS semantics to identify the snippets of code a review applies to. We could maybe define a boolean value that abstracts an approval / rejection in a review across systems like GitHub ("Approve") and Gerrit ("+2") with the actual CR system specific information also in the predicate, but this may be unnecessary considering the corresponding policies for an attestation will also be CR-specific. What do you think? I plan to start working on the specifics of the attestation format taking these as examples, I suspect it'll be easier to discuss them then. |
|
Would it make any sense to start with some definition of the policies we'd like to evaluate on these predicates? |
|
Makes sense, starting with #77 (comment)? |
|
That is a pretty exhaustive list of things that could go into an attestation. Do we have any thoughts about who the audience for the attestations would be? Would the goal be for it to cross organizational boundaries and still be understandable? E.g. would a list of participants that maps to DevOps, QA, etc... make sense outside an organization where people have different policies for code review? I'll admit that my primary goal for some code review attestation is just to be able to tell if a given built artifact meets the SLSA source requirements. Beyond that it doesn't matter to me what the exact procedures were followed. It could be counter-productive in some sense if, from SLSA's perspective, we had to care about the difference between 'approved conditionally', 'approved', and 'reviewed'. but I'm sure there are audiences beyond SLSA! |
That's a good question. I'd like to hear everyone's thoughts, but going back to @dn-scribe's comment above, I can see a couple of usecases where source control attestations may not suffice. For example, here we could verify that a person defined in a Going back to crev-like attestations, the use cases are probably more clearly defined. The subject would be a package + version, perhaps identified using pURL, and the policy is a straightforward "was this dependency version audited by a trusted reviewer". |
|
Relevant: https://paragonie.com/blog/2022/01/solving-open-source-supply-chain-security-for-php-ecosystem We are looking to create a "code review" attestation for witness. The prior work by the PHP team looks like it could fit our customers' needs. We plan on using some sort of user auth flow (OIDC) to sign the attestation collection we create.
Witness supports custom types, which is our current way forward, but we would love to adopt a community standard. |
|
That makes sense to me. One thing that could be clarified is what scope each of those statements apply to. E.g. does 'code-review' apply to just a single change while 'sec-audit' applies to the entire repo? |
The scope in Gossamer is a versioned release (see their docs). It's all fairly loose at the moment, though. |
|
Gotcha. So I think it would be pretty easy to create a predicate type that indicate the various items mentioned above. It should probably be clear about what the scope is. Something like... {
"_type": "https://in-toto.io/Statement/v0.1",
// Assuming the release is a file and we can just hash it.
"subject": [{"name": "_", "digest": {"sha256": "5678..."}}],
"predicateType": "https://slsa.dev/review/versionedRelease/v0.1",
"predicate": {
"reviews": [
"code-review", // Indicates all the code in the release was reviewed.
"sec-audit", // indicates all the code in the release was security audited
]
"attestor": { "id": "mailto:person@example.com" },
}
} |
|
+1 Reasoning out loud: we would include the Should the |
Yes exactly. We take the same approach with builder.id in slsa.dev/provenance.
I think that would make things like the above description harder, so I'd advise against it? |
|
In witness we solve the problem of multiple attestations with an For example, an |
I took a quick look at how this maps to crev's fields, which are more granular, and tried to map them to Gossamer's. For spot-check, code-review, sec-audit, we should probably map it to one value for rating, and then think about whether other combinations of thoroughness + rating are important to consider as well. Also, in the crev mapping, code-review seems to be a subset of a sec-audit, while that's not necessarily the case with the Gossamer options.
Using subjects to scope the review sounds good to me, we can use ITE-4 semantics there for non-file artifacts as well. I'm less certain about using different predicate types for versioned releases vs reviews not necessarily attached to a versioned release. Should this only remain the purview of the subject field? |
|
Note: I recommend against negative votes because it violates the monotonic principle: if someone deletes the attestation, it would cause a policy to go from DENY to ALLOW. Instead, it's better to consider only positive votes so that you don't have to worry about deletion as an attack vector. As discussed today, I think the next step would be to create an ITE to describe the proposal in detail and then map that to specific use cases. In particular, it would be great to hear from specific customers (e.g. @TomHennen) on how they would use the attestation and if it would work for their use case. |
|
Bump, I wonder if we'd like to bring in this into the discussion |
|
Hey @SantiagoTorres I was thinking of this issue too when I started reviewing the I brought this gist up this morning at the OpenSSF Supply Chain Integrity meeting, I'm glad it might gain traction in this particular issue thread :) @lrvick, the author of the gist and I are always down to chat on matrix. Are any of you all active in |
|
@MarkLodato do you have any thoughts on how to avoid negative votes for dependency reviews? |
|
The Sig v2 spec looks great! I've looked at crev a bit but haven't come across https://github.com/git-wotr/spec/blob/master/design.org before. Taking a look... |
Let me add more nuance here. I consider two types of policies:
Both types of policies can be continuously verified, but I think only baseline policies should be enforced, for reliability reasons. Example for vulnerability scans:
To clarify, I caution against individual negative vote attestations because they cannot be used in monotonic policies. Some ideas on how to make it monotonic:
If desired, a best effort policy could still support detecting negative votes after the fact, but you want to at least support the "baseline" monotonic use case. (I hope that made sense.) |
|
@MarkLodato thanks for the clarifications! |
We started discussing what code review attestations should look like, and @iamwillbar suggested checking if we could define a generalized predicate for reviews. We could then derive code review and other formats (perhaps vuln scans like #58) from this general predicate. As a starting point, we've potentially got the following sections in the predicate.
Edit: the general consensus is that we should only handle attestations for human reviews here, so that's what we're going to be focusing on.
Meta Information
In the case of code reviews, this could identify the person performing the review, but in the case of a vuln scan, it could identify the scanner used. One thing to note is that this may be unnecessary in the case of some reviews, because we could use the signature to identify the functionary as we do with links. Further, we could capture temporal information about when the review was performed.
Artifact Information
This section essentially identifies the artifacts the review applies to. We can incorporate ITE-4 here as well. One project we're looking to work with is crev, so we could use something like purl as well to identify package-level reviews as a whole. One open question may be reviews for diffs, and how they'd chain together to apply to a file as a whole.
Edit: we can probably lean on VCS semantics via ITE-4 and tie CRs to the underlying VCS changes / commits they correspond to. Also, as noted below, this would be part of the statement's subject rather than the predicate, but it was included here to nail down exactly what we're likely to be capturing in a review.
Review Result
This is pretty self explanatory for both CRs and vuln scans. I'm not sure if a negative result CR should exist, except maybe for package-results as they're used in crev.
These are all early thoughts in defining a generalized review format, and I'm curious to hear what people think about this. Also open to hearing about other projects like crev we should be paying attention to when working on this.
The text was updated successfully, but these errors were encountered: