search

chainloop-dev / chainloop

Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
https://docs.chainloop.dev
Apache License 2.0
332 stars 25 forks source link

CLI fails to discover material type with OCI charts #900

Open jiparis opened 1 month ago

jiparis commented 1 month ago

Trying to attest an OCI chart ends up discovering an STRING material type, but it should be HELM_CHART instead. Running it in debug mode:

> cl att add --value ghcr.io/chainloop-dev/charts:latest --debug --token $(cat token.txt )
DBG Telemetry enabled, to disable it use DO_NOT_TRACK=1
DBG loading state state=file:///var/folders/ls/cv3k03v57ns18mmwjjbgy8z00000gn/T/chainloop-attestation.tmp.json
DBG loaded state state=file:///var/folders/ls/cv3k03v57ns18mmwjjbgy8z00000gn/T/chainloop-attestation.tmp.json
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=OPENVEX
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=SBOM_CYCLONEDX_JSON
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=SBOM_SPDX_JSON
DBG decoding CSAF file path=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory - unexpected material type" kind=CSAF_VEX
DBG decoding CSAF file path=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory - unexpected material type" kind=CSAF_INFORMATIONAL_ADVISORY
DBG decoding CSAF file path=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory - unexpected material type" kind=CSAF_SECURITY_ADVISORY
DBG decoding CSAF file path=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory - unexpected material type" kind=CSAF_SECURITY_INCIDENT_RESPONSE
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=JUNIT_XML
DBG failed to add material error="crafting material: can't open the file: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=HELM_CHART
DBG retrieving container image digest from remote name=ghcr.io/chainloop-dev/charts:latest
DBG failed to add material error="crafting material: GET https://ghcr.io/token?scope=repository%3Achainloop-dev%2Fcharts%3Apull&service=ghcr.io: DENIED: requested access to the resource is denied" kind=CONTAINER_IMAGE
DBG decoding SARIF file path=ghcr.io/chainloop-dev/charts:latest
DBG error decoding file error="the provided file path doesn't have a file"
DBG failed to add material error="crafting material: invalid SARIF file: unexpected material type" kind=SARIF
DBG failed to add material error="crafting material: artifact file cannot be read: open ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=ATTESTATION
DBG failed to add material error="crafting material: getting file stats: stat ghcr.io/chainloop-dev/charts:latest: no such file or directory" kind=ARTIFACT
DBG added to state key=material-1717598767208318000
INF material kind detected kind=STRING
INF material added to attestation
javirln commented 1 month ago

The reason being on this behavior is the fact that the Chart crafter does not try to download anything instead, it tries to validate what's found on the system.