policy-tester off main branch fails to validate vuln attestations

[jdolitsky]

As of today, policies are failing published using cosign 1.13.1

[jdolitsky]

policy-tester --policy policies/02-has-vuln-attestation.yaml --image cgr.dev/chainguard/wait-for-it:latest
2023-02-22T22:38:27.273Z    DEBUG   webhook/validator.go:496    Checking Authority: keyless-authority
2023-02-22T22:38:28.473Z    DEBUG   webhook/validator.go:837    Found 2 valid attestations, validating policies for them
{"errors":["no matching attestations with type vuln: "]}

Policy:

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: has-vuln-attestation
spec:
  images:
    - glob: cgr.dev/chainguard/*
  authorities:
    - name: keyless-authority
      keyless:
        url: https://fulcio.sigstore.dev
        identities:
          - issuer: https://token.actions.githubusercontent.com
            subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
      ctlog:
        url: https://rekor.sigstore.dev
      attestations:
        - name: must-have-vuln-attestation
          predicateType: vuln
          policy:
            type: cue
            data: |
              predicateType: "cosign.sigstore.dev/attestation/vuln/v1"

[jdolitsky]

Fixed by pinning to 0.6.2 release

[hectorj2f]

Use predicateType: "https://cosign.sigstore.dev/attestation/vuln/v1" using main.

[jdolitsky]

Use predicateType: "https://cosign.sigstore.dev/attestation/vuln/v1" using main.

This doesn't appear to work if the attestation was pushed using cosign v0.13.1

[hectorj2f]

@jdolitsky I found the reason. The predicate type validation needs to be less strict in cosign package. It complains about invalid predicate type due to the lack of a scheme. But if you add the scheme, the predicate type doesn't match with predicate type set with attestations done via cosign versions < v2.0.0-rc3.

[vaikas]

There's few reasons here why this alone won't work. PRs coming up in cosign and here.

[vaikas]

There's couple of problems here which is always fantabulous:

• API validation was made to be strict and would allow for either 'short-name' (so things like 'vuln'). Behind the scenes those short-names were turned into a (sometimes fully RFC3986 compliant) proper predicate types.
• Somewhere along the way the short-name => full predicate type changed their mappings. So if you used cosign to attest with a short-name of yesteryear, but tried to validate with cosign of today, that could be problematic.
• Cosign stopped accepting predicate types that were neither RFC3986 nor short form.

So, if you attested something with a cosign prior to 2.X-rc's, the mapping from short->predicate could be different when you use it with the policy today (this was one contributor to your troubles). Second problem is that if you then change the predicatetype to the non RFC3986 compliant form (short->predicate turned vuln->cosign.sigstore.dev/attestation/vuln/v1), CIP would be rejected because, well, it's not compliant to RFC3986. And then if you make it be an RFC3986 compliant (with the proper scheme), well, it wouldn't be found because of the first problem (short->predicate mapping).

Anyways, PRs coming up, but I'll also add deprecation notices and change non conformant predicatetypes to varnings.