Open migmartri opened 3 months ago
Regarding the last topic, here's the task for it with in depth explanation: https://github.com/chainloop-dev/chainloop/issues/911
Thanks @migmartri. I'm afraid malformed documents are going to be a frequent issue. Given the fact that Chainloop's role is attesting, it might be reasonable to allow skipping the validation and still store it as a SBOM_CYCLONEDX_JSON
, probably with an annotation validated=false
. This way, Chainloop is attesting that the document exists but it's not validated so it cannot be fully trusted.
Thanks @migmartri. I'm afraid malformed documents are going to be a frequent issue. Given the fact that Chainloop's role is attesting, it might be reasonable to allow skipping the validation and still store it as a
SBOM_CYCLONEDX_JSON
, probably with an annotationvalidated=false
. This way, Chainloop is attesting that the document exists but it's not validated so it cannot be fully trusted.
Completely agree here. If a validation skip feature is implemented I think it should be explicit (user has to declare that is the desired outcome) and then that must be reflected in the metadata. My two cents.
Thanks for the feedback. I agree with you both. What I am not sure about is if this feature should be either.
skip validation
orcontinue if validation error
I am leaning towards b
since it can inform us whether the document was valid. If we skip the validation, we lose that info.
In other words, I'd implement something like att add --soft-validation
to add the evidence regardless of the validation output. The result will contain two extra annotations
valid: true|false
soft-validation
: true|false`These two annotations would allow users for example to create a policy that enforces not to use this feature, meaning soft-validation
can't be true.
Wdyt?
I have a couple of usability suggestions that might be worth implementing
If we are using the discovery mode, i.e do not provide
kind
, and ends up falling back toartifact
kind, we should explain that it didn't fit any other material kind.If we pass explicitly a
kind
we should probably show the error message too, so instead ofit should show
We should be able to provide a name so we do not need to use the autogenerated one. Tracked by: https://github.com/chainloop-dev/chainloop/issues/911
wdyt?