From 8596d98b9bae3b6f4b8985ea933ad753fc423b81 Mon Sep 17 00:00:00 2001
From: Sambhav Kothari <sambhavs.email@gmail.com>
Date: Mon, 6 Sep 2021 13:18:09 +0000
Subject: [PATCH] Add sbom and attestations to triangulate

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
---
 cmd/cosign/cli/triangulate.go | 19 +++++++++++++++----
 pkg/cosign/fetch.go           |  6 ++++++
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/cmd/cosign/cli/triangulate.go b/cmd/cosign/cli/triangulate.go
index b7789175f46..efaf0d42b34 100644
--- a/cmd/cosign/cli/triangulate.go
+++ b/cmd/cosign/cli/triangulate.go
@@ -29,22 +29,23 @@ import (
 func Triangulate() *ffcli.Command {
 	var (
 		flagset = flag.NewFlagSet("cosign triangulate", flag.ExitOnError)
+		t       = flagset.String("type", "signature", "related attachment to triangulate (attestation|sbom|signature), default signature")
 	)
 	return &ffcli.Command{
 		Name:       "triangulate",
 		ShortUsage: "cosign triangulate <image uri>",
-		ShortHelp:  "Outputs the located cosign image reference. This is the location cosign stores signatures.",
+		ShortHelp:  "Outputs the located cosign image reference. This is the location cosign stores the specified artifact type.",
 		FlagSet:    flagset,
 		Exec: func(ctx context.Context, args []string) error {
 			if len(args) != 1 {
 				return flag.ErrHelp
 			}
-			return MungeCmd(ctx, args[0])
+			return MungeCmd(ctx, args[0], *t)
 		},
 	}
 }
 
-func MungeCmd(ctx context.Context, imageRef string) error {
+func MungeCmd(ctx context.Context, imageRef string, attachmentType string) error {
 	ref, err := name.ParseReference(imageRef)
 	if err != nil {
 		return err
@@ -59,7 +60,17 @@ func MungeCmd(ctx context.Context, imageRef string) error {
 	if err != nil {
 		return err
 	}
-	dstRef := cosign.AttachedImageTag(sigRepo, h, cosign.SignatureTagSuffix)
+	var dstRef name.Tag
+	switch attachmentType {
+	case cosign.Signature:
+		dstRef = cosign.AttachedImageTag(sigRepo, h, cosign.SignatureTagSuffix)
+	case cosign.SBOM:
+		dstRef = cosign.AttachedImageTag(sigRepo, h, cosign.SBOMTagSuffix)
+	case cosign.Attestation:
+		dstRef = cosign.AttachedImageTag(sigRepo, h, cosign.AttestationTagSuffix)
+	default:
+		return fmt.Errorf("unknown attachment type %s", attachmentType)
+	}
 
 	fmt.Println(dstRef.Name())
 	return nil
diff --git a/pkg/cosign/fetch.go b/pkg/cosign/fetch.go
index 473e87f2258..358a179bb2b 100644
--- a/pkg/cosign/fetch.go
+++ b/pkg/cosign/fetch.go
@@ -58,6 +58,12 @@ const (
 	AttestationTagSuffix = ".att"
 )
 
+const (
+	Signature   = "signature"
+	SBOM        = "sbom"
+	Attestation = "attestation"
+)
+
 func AttachedImageTag(repo name.Repository, digest v1.Hash, tagSuffix string) name.Tag {
 	// sha256:d34db33f -> sha256-d34db33f.suffix
 	tagStr := strings.ReplaceAll(digest.String(), ":", "-") + tagSuffix