The Artifact attestor chokes trying to stat the target of a dangling symlink

[bureado]

When using witness to supervise a Debian package build, I noticed the Artifact attestor breaking when trying to lstat() the target of a dangling symlink. This dangling symlink was produced by the build process itself:

 dpkg-genchanges --build=binary >../mgen_5.02.b+dfsg1-2.2build2_amd64.changes
dpkg-genchanges: info: binary-only upload (no source code included)
 dpkg-source --after-build .
dpkg-buildpackage: info: binary-only upload (no source included)
failed to run attestors: lstat /tmp/mgen-5.02.b+dfsg1/debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen: no such file or directory

Since this makes witness return non-zero, it breaks builds. Here's what the stat utility shows for target and source in my system:

$ stat debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen
stat: cannot stat 'debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen': No such file or directory
$ stat debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen-dbgsym
  File: debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen-dbgsym -> mgen
  Size: 4               Blocks: 0          IO Block: 512    symbolic link
Device: 2h/2d   Inode: 4503599628240711  Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-01-11 19:01:02.556707700 -0800
Modify: 2022-01-11 19:01:02.556707700 -0800
Change: 2022-01-11 19:01:02.556707700 -0800
 Birth: -

I recall having seen this in syft where logic was added to handle this case.

It's possible that this could be handled near L106 in artifact.go.

[colek42]

@mikhailswift we should wait to fix this until we get the lifecycle stuff merged in.