Open laurentsimon opened 1 year ago
It's unclear whether the field is forgeable or not, even at level 3.
The intent was for the builder.id
to indicate this. Also, a possible future "SLSA Build L4" might have requirements about completeness and accuracy of resolvedDependencies
.
"REQUIRED: at least one of uri or digest" — What is the reasoning behind this decision? [...] should this field guarantee immutability, ie the Digest be a
MUST
field?
If you're asking why we allow digest
to not be set, it's because in some cases it cannot be computed but it's still valuable to record a dependency. Examples:
uri
is an immutable reference instead, assuming you trust the version control system (which we have no other choice but to do).uri
is an immutable reference, assuming you trust the VM compute infrastructure (which we have no other choice but to do).@laurentsimon There's some additional discussion about this in https://github.com/slsa-framework/slsa/issues/614 as well.
Thanks both. So iiuc, the resolvedDependencies
is always populated by the builder, and never the build process, correct?
What I wanted to suggest is:
Having a way to differentiate between dependencies for the tooling used to build and the dependencies that go into the artifact itself. For example, if there's a vulnerability in the tooling, it's unlikely to affect the build itself. Regardless if it does or not, having this information would speed up incidence response
Given that L 3 -> L4 is really hard, a way for the resolvedDependencies
to be populated by both the build process and the builder. Those reported by the (untrusted) build process can be treated as "best effort" while the developers migrate their build process to a state where all dependencies are declared declaratively and can be reported by the builder itself. (Note: "in-build" SBOMs generated by compilers have the same level of trust as dependencies populated by a build process)
I think both of these can be supported using the new annotations
https://github.com/in-toto/attestation/pull/143/files
Yes, I agree with using annotations
for that. Do you suggest a change the spec, or is it OK to close this issue?
Fine to close since annotations solves the issue. We could add a sentence to mention annotations and possible use cases, for reporting dependencies, but not blocking
There is clarification that may be useful w.r.t ResolvedDependencies. IIUC, the fields lists dependencies of the build, not the builder.
Question 1
It's unclear whether the field is forgeable or not, even at level 3. For example, we say
For example, if the build script fetches and executes “example.com/foo.sh”, which in turn fetches “example.com/bar.tar.gz”, then both “foo.sh” and “bar.tar.gz” SHOULD be listed here.
Which component of the system populates these entries? The untrusted build process or the trusted build service? Does it depend on SLSA levels? Does it depend on buildType?Example, in GitHub examples, we say
SHOULD contain an entry identifying the resolved git commit ID
+The dependency’s uri MUST be ...
. Here it's assumed to be trusted because it's part of the expectations for a consumer to verify.It would help to clarify the reasoning here. If it's up to the buildType to define these, maybe we should also allow for namespaces within dependencies. Otherwise I will become harder to identify what is what in the future?
Question 2
The specs say that artifacts listed in resolvedDependencies:
REQUIRED: at least one of uri or digest
https://slsa.dev/provenance/v1-rc1#artifactreference. What is the reasoning behind this decision? Since thepurpose of resolvedDependencies is to facilitate recursive analysis of the software supply chain. Where practical, it is valuable to record the URI and digest of artifacts that, if compromised
, should this field guarantee immutability, ie the Digest be aMUST
field?Many package registries don't guarantee immutability, for example. A purl does not guarantee immutability either, iiuc.