Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions app/cli/documentation/cli-reference.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ Options
--annotation strings additional annotation in the format of key=value
--attestation-id string Unique identifier of the in-progress attestation
-h, --help help for add
--kind string kind of the material to be recorded: ["ARTIFACT" "ASYNCAPI_SPEC" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CERTCC_DRANZER" "CHAINLOOP_AI_AGENT_CONFIG" "CHAINLOOP_AI_CODING_SESSION" "CHAINLOOP_PR_INFO" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "GITLEAKS_JSON" "GRAPHQL_SPEC" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENAPI_SPEC" "OPENVEX" "OSSF_SCORECARD_JSON" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "SYSINTERNALS_ACCESSCHK" "SYSINTERNALS_SIGCHECK" "TWISTCLI_SCAN_JSON" "YELP_DETECT_SECRETS_BASELINE" "ZAP_DAST_ZIP"]
--kind string kind of the material to be recorded: ["ARTIFACT" "ASYNCAPI_SPEC" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CERTCC_DRANZER" "CHAINLOOP_AI_AGENT_CONFIG" "CHAINLOOP_AI_CODING_SESSION" "CHAINLOOP_PR_INFO" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "GITLEAKS_JSON" "GRAPHQL_SPEC" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENAPI_SPEC" "OPENVEX" "OSSF_SCORECARD_JSON" "RADAMSA_CRASHES" "RADAMSA_REPORT" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "SYSINTERNALS_ACCESSCHK" "SYSINTERNALS_SIGCHECK" "TWISTCLI_SCAN_JSON" "YELP_DETECT_SECRETS_BASELINE" "ZAP_DAST_ZIP"]
--name string name of the material as shown in the contract
--no-strict-validation skip strict schema validation for structured materials (SBOM_CYCLONEDX_JSON, OPENAPI_SPEC, ASYNCAPI_SPEC, OSSF_SCORECARD_JSON)
--registry-password string registry password, ($CHAINLOOP_REGISTRY_PASSWORD)
Expand Down Expand Up @@ -3025,7 +3025,7 @@ Options
--annotation strings Key-value pairs of material annotations (key=value)
-h, --help help for eval
--input stringArray Key-value pairs of policy inputs (key=value)
--kind string Kind of the material: ["ARTIFACT" "ASYNCAPI_SPEC" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CERTCC_DRANZER" "CHAINLOOP_AI_AGENT_CONFIG" "CHAINLOOP_AI_CODING_SESSION" "CHAINLOOP_PR_INFO" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "GITLEAKS_JSON" "GRAPHQL_SPEC" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENAPI_SPEC" "OPENVEX" "OSSF_SCORECARD_JSON" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "SYSINTERNALS_ACCESSCHK" "SYSINTERNALS_SIGCHECK" "TWISTCLI_SCAN_JSON" "YELP_DETECT_SECRETS_BASELINE" "ZAP_DAST_ZIP"]
--kind string Kind of the material: ["ARTIFACT" "ASYNCAPI_SPEC" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CERTCC_DRANZER" "CHAINLOOP_AI_AGENT_CONFIG" "CHAINLOOP_AI_CODING_SESSION" "CHAINLOOP_PR_INFO" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "GITLEAKS_JSON" "GRAPHQL_SPEC" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENAPI_SPEC" "OPENVEX" "OSSF_SCORECARD_JSON" "RADAMSA_CRASHES" "RADAMSA_REPORT" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "SYSINTERNALS_ACCESSCHK" "SYSINTERNALS_SIGCHECK" "TWISTCLI_SCAN_JSON" "YELP_DETECT_SECRETS_BASELINE" "ZAP_DAST_ZIP"]
--material string Path to material or attestation file
-p, --policy string Policy reference (./my-policy.yaml, https://my-domain.com/my-policy.yaml, chainloop://my-stored-policy) (default "policy.yaml")
--project string Project name to use as engine context for chainloop.* built-ins
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 15 additions & 4 deletions app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,11 @@ message CraftingSchema {
// OpenSSF Scorecard result in JSON format
// https://github.com/ossf/scorecard
OSSF_SCORECARD_JSON = 37;
// radamsa -M metadata log, one record per generated iteration
// https://gitlab.com/akihe/radamsa
RADAMSA_REPORT = 38;
// radamsa crashing inputs, a single file or a crashes/ archive (tar.gz or zip)
RADAMSA_CRASHES = 39;
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ var CraftingMaterialInValidationOrder = []CraftingSchema_Material_MaterialType{
CraftingSchema_Material_GRAPHQL_SPEC,
CraftingSchema_Material_JUNIT_XML,
CraftingSchema_Material_JACOCO_XML,
// NOTE: RADAMSA_REPORT and RADAMSA_CRASHES are intentionally omitted from
// auto-detection. RADAMSA_CRASHES single-file mode accepts almost any
// non-empty file and would eagerly shadow other types; both work fine when
// referenced with an explicit kind in a workflow contract.
CraftingSchema_Material_HELM_CHART,
CraftingSchema_Material_SARIF,
CraftingSchema_Material_BLACKDUCK_SCA_JSON,
Expand Down
20 changes: 18 additions & 2 deletions pkg/attestation/crafter/api/attestation/v1/crafting_state.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
"github.com/chainloop-dev/chainloop/pkg/attestation/crafter/materials/dranzer"
"github.com/chainloop-dev/chainloop/pkg/attestation/crafter/materials/jacoco"
materialsjunit "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/materials/junit"
materialsradamsa "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/materials/radamsa"
"github.com/chainloop-dev/chainloop/pkg/attestation/crafter/materials/sigcheck"
intoto "github.com/in-toto/attestation/go/v1"
"google.golang.org/protobuf/types/known/structpb"
Expand Down Expand Up @@ -102,8 +103,10 @@ func (m *Attestation_Material) GetEvaluableContent(value string) ([]byte, error)
} else if value == "" {
return nil, errors.New("artifact path required")
} else if m.MaterialType != v1.CraftingSchema_Material_HELM_CHART &&
m.MaterialType != v1.CraftingSchema_Material_JUNIT_XML {
// read content from local filesystem (except for tgz charts)
m.MaterialType != v1.CraftingSchema_Material_JUNIT_XML &&
m.MaterialType != v1.CraftingSchema_Material_RADAMSA_CRASHES {
// read content from local filesystem (except for tgz charts and
// metadata-only materials like radamsa crashes)
rawMaterial, err = os.ReadFile(value)
if err != nil {
return nil, fmt.Errorf("failed to read material content: %w", err)
Expand Down Expand Up @@ -182,6 +185,19 @@ func (m *Attestation_Material) ingestMaterialToJSON(rawMaterial []byte, value st
}
// this will render a json array
return json.Marshal(suites)
case v1.CraftingSchema_Material_RADAMSA_REPORT:
// radamsa's -M metadata log is one record per generated iteration; render
// it as a JSON array so the policy engine exposes it as input.elements.
records, err := materialsradamsa.Parse(bytes.NewReader(rawMaterial))
if err != nil {
return nil, fmt.Errorf("invalid radamsa -M metadata log: %w", err)
}
return json.Marshal(records)
case v1.CraftingSchema_Material_RADAMSA_CRASHES:
// metadata-only: the crash content (single binary file or archive) is
// never evaluated. Discard it so inline content is not parsed as JSON;
// policies read the crash count from chainloop_metadata.annotations.
return []byte("{}"), nil
case v1.CraftingSchema_Material_JACOCO_XML:
var report jacoco.Report
if err := xml.Unmarshal(rawMaterial, &report); err != nil {
Expand Down
43 changes: 43 additions & 0 deletions pkg/attestation/crafter/api/attestation/v1/crafting_state_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,49 @@ func TestGetEvaluableContentWithMetadata(t *testing.T) {
},
testField: "objects",
},
{
name: "radamsa report -M log projected to elements",
material: &Attestation_Material{
MaterialType: schemaapi.CraftingSchema_Material_RADAMSA_REPORT,
M: &Attestation_Material_Artifact_{
Artifact: &Attestation_Material_Artifact{
Name: "name", Digest: "sha256:deadbeef", IsSubject: true,
},
},
},
filename: "testdata/radamsa-meta.txt",
testField: "elements",
},
{
// metadata-only: the (non-existent) crashes path must NOT be read.
name: "radamsa crashes metadata only",
material: &Attestation_Material{
MaterialType: schemaapi.CraftingSchema_Material_RADAMSA_CRASHES,
M: &Attestation_Material_Artifact_{
Artifact: &Attestation_Material_Artifact{
Name: "name", Digest: "sha256:deadbeef", IsSubject: true,
},
},
Annotations: map[string]string{"chainloop.material.radamsa.crashes.count": "0"},
},
filename: "testdata/this-crashes-file-does-not-exist.tar.gz",
},
{
// inline binary crash content must NOT be parsed as JSON; it is
// metadata-only regardless of how the content is sourced.
name: "radamsa crashes inline binary content",
material: &Attestation_Material{
MaterialType: schemaapi.CraftingSchema_Material_RADAMSA_CRASHES,
M: &Attestation_Material_Artifact_{
Artifact: &Attestation_Material_Artifact{
Name: "name", Digest: "sha256:deadbeef", IsSubject: true,
Content: []byte("\x1f\x8b\x08\x00rawcrashingbytes"),
},
},
InlineCas: true,
Annotations: map[string]string{"chainloop.material.radamsa.crashes.count": "1"},
},
},
}

for _, tc := range cases {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
seed: 705693910129640559698481
muta-num: 1, generator: file, checksum: "CF5DA754A292766FAA5465FD", nth: 1, path: "/tmp/m/sample_1.eds", output: file-writer, length: 16892, pattern: many-dec
byte-dec: 1, generator: jump, head: "/tmp/t/sample.eds", checksum: "F2F767F4D2E28596BD5BD982", nth: 2, output: file-writer, length: 17199, pattern: many-dec
Loading
Loading