Closed lakshya8066 closed 2 years ago
lakshya8066
commented
2 years ago I was looking at materials and I think we already have a function for link metadata that collects Artifacts URI and creates a sha256 hash. We can extracts data from here and put it into provenance metadata.
adityasaky
commented
2 years ago I just realized from the description here that in-toto-java currently implements v0.1 rather v0.2 of the provenance spec. @Alos is there a plan to add the 0.2 spec to in-toto-java as well?
Alos
commented
2 years ago I'm currently under heavy workload and do not have time to make these changes, but this is something we could add in the future Q4ish.
adityasaky
commented
2 years ago @lakshya8066, I suspect the changes from 0.1 to 0.2 are quite minor. Do you think you could work on such a PR? Here's the changelog: https://slsa.dev/provenance/v0.2#change-history
lakshya8066
commented
2 years ago Sure, I can work on it.
adityasaky
commented
2 years ago I'm going to close this issue for now. Let's discuss over on https://github.com/in-toto/in-toto-jenkins-plugin.
adityasaky
commented
2 years ago
What feature do you want to see added?
This issue is to discuss how to fill data in the provenance metadata. These are more elaborately described here https://slsa.dev/provenance/v0.1 The fields that need attention are listed below:
Builder
builder(object, required): This identifies the trusted entity that will run all the steps and fill the details in the provenance. builder.id(string, required): This will indicate the builder’s identity.
Recipe
recipe(object): This will denote the steps and configuration used for the build. Along with the materials, this will completely describe the build. recipe.type(string): This will describe the type of the recipe that was performed. This will also determine recipe.entryPoint, recipe.argument, recipe.environment and materials. recipe.defineInMaterials(integer): If the recipe comes from material this will contain the index containing the recipe steps. recipe.entrypoint(string): This will be a string identifying the entry point into the build. The syntax and meaning will be defined by recipe.type. recipe.arguments(object): This will be a JSON object containing all the external inputs that were used in the build along with recipe.definedInMaterials and recipe.entryPoint. This will be considered complete only when metadata.completeness.arguments is set to true. recipe.environments(object): This will be an arbitrary JSON object which contains any other controls that are needed by the builder to execute the recipe. This is generally needed for reproducing the build.
Metadata
metadata(object): This object will contain properties of the build. metadata.buildInvocationId(string): This is a globally unique value that identifies that particular build invocation. This is treated as opaque and case-sensitive by default. metadata.buildStartedOn(string): This gives the timestamp of when the build started. metadata.buildFinishedOn(string): This gives the timestamp of when the build is completed. metadata.completeness(object): This is an object that indicates that the builder claims certain fields in this message to be complete. metadata.completeness.arguments(boolean): This states whether the builder claims whether all the external inputs are properly captured in the recipe or not. metadata.completeness.environment(boolean): If the value of this is true then the builder claims that recipe.environment is complete. metadata.completeness.materials(boolean): If the value of this is true then the builder claims that materials is complete. metadata.reproducible(boolean): If this is true then the builder claims that if the user runs all the steps in the recipe on materials then the output produced will be identical.
Materials:
materials(array of objects): This array of objects includes the artifacts that are part of the build. These include dependencies, images, tools. materials[].uri(string): This is the method that will be used to reference the artifact during the build. materials[].digest(object): This is the set of cryptographic digest expressed as a JSON map from algorithm name to lowercase hex-encoded value.
Upstream changes
No response