search

chainloop-dev / chainloop

Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
https://docs.chainloop.dev
Apache License 2.0
368 stars 27 forks source link

feat: add additional context to attested materials #498

Open migmartri opened 8 months ago

migmartri commented 8 months ago

Attested materials now support arbitrary annotations that can be useful to add additional context.

For example

All materials

CAS-based materials

Container image

migmartri commented 8 months ago

there is no required change in the attestation layer. The materials in the attestations already contain all that information. For example

Container image

    {
        "annotations": {
          "chainloop.material.name": "artifact",
          "chainloop.material.type": "CONTAINER_IMAGE"
        },
        "digest": {
          "sha256": "679d7f74941e1b121c49f85b2efbe7a147db90d60352e02b1d20da0a8b44c924"
        },
        "name": "ghcr.io/chainloop-dev/charts/chainloop"
      },

or artifact

      {
        "annotations": {
          "chainloop.material.cas": true,
          "chainloop.material.name": "log",
          "chainloop.material.type": "ARTIFACT"
        },
        "digest": {
          "sha256": "f3c18b363a45894baca751e44526b8af4853f7d519e42e1ca9962746dfcc028f"
        },
        "name": "output.log"
      }

This issue in fact was more related to our discovery endpoint. to be able to populate such info in an endpoint like this one

As you can see, the materials listed there does not contain annotations or additional metadata, and this is because those nodes are generic and depend on the context of the attestation the user is querying.

We might be able to make the API smart and hydrate the results if and only if we are talking about the context of a very specific attestation.

migmartri commented 6 months ago

This effort now has two angles

for a), apart of the current workflow name we can add

and we can also add organization name