search

chainloop-dev / chainloop

Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
https://docs.chainloop.dev
Apache License 2.0
346 stars 25 forks source link

Allow Custom Names for External Evidence in Attestation Process #911

Closed javirln closed 1 month ago

javirln commented 3 months ago

With the introduction of automatic discovery of evidence types during the attestation process, the CLI currently uses the following method to generate random names to ensure uniqueness:

https://github.com/chainloop-dev/chainloop/blob/37f12c6a53461e81b876d5d572d5b6e5d7156369/internal/attestation/crafter/crafter.go#L483

This method guarantees that no name is repeated within the attestation, as duplicate names are not allowed. However, there is no strong reason why end users should not be allowed to provide their own names for pieces of evidence that are outside the contract.

Task

Allow end users to pass a custom name for a piece of evidence that is outside of the contract. Behavior:

Here there is quick decision tree on what method to use every time:

Decision Point: Check `materialName` and `materialType`

1. If `materialName == "" && materialType == ""`:
   - Call `AddMaterialContactFreeAutomatic` and generate `materialName`
     - If success:
       - Log "material kind detected"
     - If error:
       - Return error "adding material"

2. If `materialName != ""`:
   - Call `AddMaterialFromContract`
     - If success:
       - Done
     - If error:
       - Call `AddMaterialContactFreeAutomatic` with `materialName`
         - If success:
           - Log "material kind detected"
         - If error:
           - Return error "adding material"

3. If `materialType != "" && materialName == ""`:
   - Call `AddMaterialContractFree` and generate `materialName`
     - If success:
       - Done
     - If error:
       - Return error "adding material"

This feature will provide greater flexibility and control to the end users while maintaining the uniqueness of evidence names within the attestation process.

migmartri commented 2 months ago 
> 2. If `materialName != ""`:
   - Call `AddMaterialFromContract`
     - If success:
       - Done
     - If error:
       - Call `AddMaterialContactFreeAutomatic` with `materialName`
         - If success:
           - Log "material kind detected"
         - If error:
           - Return error "adding material"

about this last part I'd say that if a material name is in the contract make sure we use the kind in the contract and if it fails, just fail, do not fallback to automatic. We should only add the material kind that's in the contract. wdyt?