Merge pull request #3312 from jedevc/sbom-filelist-followup

Tidy-up of SBOM layer supplements
moby · Nov 24, 2022 · 2ea9ce0 · 2ea9ce0
2 parents e8dac6c + b059bed
commit 2ea9ce0
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 48 deletions.
diff --git a/client/client_test.go b/client/client_test.go
@@ -7613,7 +7613,7 @@ cat <<EOF > $BUILDKIT_SCAN_DESTINATION/spdx.json
 {
   "_type": "https://in-toto.io/Statement/v0.1",
   "predicateType": "https://spdx.dev/Document",
-  "predicate": {"success": false}
+  "predicate": {"name": "fallback"}
 }
 EOF
 `
@@ -7681,7 +7681,7 @@ EOF
 			// build attestations
 			if attest {
 				st = llb.Scratch().
-					File(llb.Mkfile("/result.spdx", 0600, []byte(`{"success": true}`)))
+					File(llb.Mkfile("/result.spdx", 0600, []byte(`{"name": "frontend"}`)))
 				def, err = st.Marshal(ctx)
 				if err != nil {
 					return nil, err
@@ -7769,7 +7769,7 @@ EOF
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
 	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
-	require.Equal(t, map[string]interface{}{"success": true}, attest.Predicate)
+	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "frontend"})
 
 	// test the specified fallback scanner
 	target = registry + "/buildkit/testsbom3:latest"
@@ -7801,7 +7801,7 @@ EOF
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
 	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
-	require.Equal(t, map[string]interface{}{"success": false}, attest.Predicate)
+	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "fallback"})
 
 	// test the builtin frontend scanner and the specified fallback scanner together
 	target = registry + "/buildkit/testsbom3:latest"
@@ -7833,7 +7833,7 @@ EOF
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
 	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
-	require.Equal(t, map[string]interface{}{"success": true}, attest.Predicate)
+	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "frontend"})
 }
 
 func testSBOMScanSingleRef(t *testing.T, sb integration.Sandbox) {
@@ -7887,7 +7887,7 @@ cat <<EOF > $BUILDKIT_SCAN_DESTINATION/spdx.json
 {
   "_type": "https://in-toto.io/Statement/v0.1",
   "predicateType": "https://spdx.dev/Document",
-  "predicate": {"success": false}
+  "predicate": {"name": "fallback"}
 }
 EOF
 `
@@ -7987,7 +7987,7 @@ EOF
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
 	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
-	require.Equal(t, map[string]interface{}{"success": false}, attest.Predicate)
+	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "fallback"})
 }
 
 func testMultipleCacheExports(t *testing.T, sb integration.Sandbox) {

diff --git a/exporter/containerimage/attestations.go b/exporter/containerimage/attestations.go
@@ -41,48 +41,50 @@ func supplementSBOM(ctx context.Context, s session.Group, target cache.Immutable
 	}
 
 	doc, err := decodeSPDX(content)
-	if err == nil {
-		layers, err := newFileLayerFinder(target, targetRemote)
-		if err != nil {
-			return att, err
+	if err != nil {
+		return att, err
+	}
+
+	layers, err := newFileLayerFinder(target, targetRemote)
+	if err != nil {
+		return att, err
+	}
+	modifyFile := func(f *spdx.File2_2) error {
+		if f.FileComment != "" {
+			// Skip over files that already have a comment - since the data is
+			// unstructured, we can't correctly overwrite this field without
+			// possibly breaking some scanner functionality.
+			return nil
 		}
-		modifyFile := func(f *spdx.File2_2) error {
-			if f.FileComment != "" {
-				// Skip over files that already have a comment - since the data is
-				// unstructured, we can't correctly overwrite this field without
-				// possibly breaking some scanner functionality.
-				return nil
-			}
 
-			_, desc, err := layers.find(ctx, s, f.FileName)
-			if err != nil {
-				if !errors.Is(err, fs.ErrNotExist) {
-					return err
-				}
-				return nil
+		_, desc, err := layers.find(ctx, s, f.FileName)
+		if err != nil {
+			if !errors.Is(err, fs.ErrNotExist) {
+				return err
 			}
-			f.FileComment = fmt.Sprintf("layerID: %s", desc.Digest.String())
 			return nil
 		}
-		for _, f := range doc.UnpackagedFiles {
+		f.FileComment = fmt.Sprintf("layerID: %s", desc.Digest.String())
+		return nil
+	}
+	for _, f := range doc.UnpackagedFiles {
+		if err := modifyFile(f); err != nil {
+			return att, err
+		}
+	}
+	for _, p := range doc.Packages {
+		for _, f := range p.Files {
 			if err := modifyFile(f); err != nil {
 				return att, err
 			}
 		}
-		for _, p := range doc.Packages {
-			for _, f := range p.Files {
-				if err := modifyFile(f); err != nil {
-					return att, err
-				}
-			}
-		}
+	}
 
-		doc.CreationInfo.CreatorTools = append(doc.CreationInfo.CreatorTools, "buildkit-"+version.Version)
+	doc.CreationInfo.CreatorTools = append(doc.CreationInfo.CreatorTools, "buildkit-"+version.Version)
 
-		content, err = encodeSPDX(doc)
-		if err != nil {
-			return att, err
-		}
+	content, err = encodeSPDX(doc)
+	if err != nil {
+		return att, err
 	}
 
 	return result.Attestation{

diff --git a/frontend/dockerfile/dockerfile_test.go b/frontend/dockerfile/dockerfile_test.go
@@ -6079,7 +6079,7 @@ COPY <<-"EOF" /scan.sh
 	{
 	  "_type": "https://in-toto.io/Statement/v0.1",
 	  "predicateType": "https://spdx.dev/Document",
-	  "predicate": {"success": true}
+	  "predicate": {"name": "sbom-scan"}
 	}
 	BUNDLE
 EOF
@@ -6158,7 +6158,7 @@ EOF
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
 	require.Equal(t, "https://in-toto.io/Statement/v0.1", attest.Type)
 	require.Equal(t, intoto.PredicateSPDX, attest.PredicateType)
-	require.Equal(t, map[string]interface{}{"success": true}, attest.Predicate)
+	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "sbom-scan"})
 }
 
 func testSBOMScannerArgs(t *testing.T, sb integration.Sandbox) {
@@ -6184,7 +6184,7 @@ COPY <<-"EOF" /scan.sh
 	{
 	  "_type": "https://in-toto.io/Statement/v0.1",
 	  "predicateType": "https://spdx.dev/Document",
-	  "predicate": {"core": true}
+	  "predicate": {"name": "core"}
 	}
 	BUNDLE
 	if [ "${BUILDKIT_SCAN_SOURCE_EXTRAS}" ]; then
@@ -6193,7 +6193,7 @@ COPY <<-"EOF" /scan.sh
 			{
 			  "_type": "https://in-toto.io/Statement/v0.1",
 			  "predicateType": "https://spdx.dev/Document",
-			  "predicate": {"extra": true}
+			  "predicate": {"name": "extra"}
 			}
 			BUNDLE
 		done
@@ -6273,11 +6273,10 @@ FROM base
 	require.NotNil(t, img)
 
 	att := imgs.Find("unknown/unknown")
-	extraCount := 0
 	require.Equal(t, 1, len(att.LayersRaw))
 	var attest intoto.Statement
 	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &attest))
-	require.Equal(t, map[string]interface{}{"core": true}, attest.Predicate)
+	require.Subset(t, attest.Predicate, map[string]interface{}{"name": "core"})
 
 	dockerfile = []byte(`
 ARG BUILDKIT_SBOM_SCAN_CONTEXT=true
@@ -6339,15 +6338,15 @@ ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 	att = imgs.Find("unknown/unknown")
 	require.Equal(t, 4, len(att.LayersRaw))
-	extraCount = 0
+	extraCount := 0
 	for _, l := range att.LayersRaw {
 		var attest intoto.Statement
 		require.NoError(t, json.Unmarshal(l, &attest))
 		att := attest.Predicate.(map[string]interface{})
-		switch {
-		case att["extra"] == true:
+		switch att["name"] {
+		case "core":
+		case "extra":
 			extraCount++
-		case att["core"] == true:
 		default:
 			require.Fail(t, "unexpected attestation", "%v", att)
 		}