resolvedDependencies clarification

[laurentsimon]

There is clarification that may be useful w.r.t ResolvedDependencies. IIUC, the fields lists dependencies of the build, not the builder.

Question 1

It's unclear whether the field is forgeable or not, even at level 3. For example, we say For example, if the build script fetches and executes “example.com/foo.sh”, which in turn fetches “example.com/bar.tar.gz”, then both “foo.sh” and “bar.tar.gz” SHOULD be listed here. Which component of the system populates these entries? The untrusted build process or the trusted build service? Does it depend on SLSA levels? Does it depend on buildType?

Example, in GitHub examples, we say SHOULD contain an entry identifying the resolved git commit ID + The dependency’s uri MUST be .... Here it's assumed to be trusted because it's part of the expectations for a consumer to verify.

It would help to clarify the reasoning here. If it's up to the buildType to define these, maybe we should also allow for namespaces within dependencies. Otherwise I will become harder to identify what is what in the future?

Question 2

The specs say that artifacts listed in resolvedDependencies: REQUIRED: at least one of uri or digest https://slsa.dev/provenance/v1-rc1#artifactreference. What is the reasoning behind this decision? Since the purpose of resolvedDependencies is to facilitate recursive analysis of the software supply chain. Where practical, it is valuable to record the URI and digest of artifacts that, if compromised, should this field guarantee immutability, ie the Digest be a MUST field?

Many package registries don't guarantee immutability, for example. A purl does not guarantee immutability either, iiuc.

[MarkLodato]

It's unclear whether the field is forgeable or not, even at level 3.

The intent was for the builder.id to indicate this. Also, a possible future "SLSA Build L4" might have requirements about completeness and accuracy of resolvedDependencies.

"REQUIRED: at least one of uri or digest" — What is the reasoning behind this decision? [...] should this field guarantee immutability, ie the Digest be a MUST field?

If you're asking why we allow digest to not be set, it's because in some cases it cannot be computed but it's still valuable to record a dependency. Examples:

• Fetching from a version control system that does not have convenient digests, e.g. Perforce/Piper. Here, the uri is an immutable reference instead, assuming you trust the version control system (which we have no other choice but to do).
• Specifying the VM image that the worker run on. GitHub Actions is an example - we can know which specific VM image GitHub used, but the digest for the VM image is unavailable. Again, the uri is an immutable reference, assuming you trust the VM compute infrastructure (which we have no other choice but to do).

[di]

@laurentsimon There's some additional discussion about this in https://github.com/slsa-framework/slsa/issues/614 as well.

[laurentsimon]

Thanks both. So iiuc, the resolvedDependencies is always populated by the builder, and never the build process, correct?

What I wanted to suggest is:

1. Having a way to differentiate between dependencies for the tooling used to build and the dependencies that go into the artifact itself. For example, if there's a vulnerability in the tooling, it's unlikely to affect the build itself. Regardless if it does or not, having this information would speed up incidence response

2. Given that L 3 -> L4 is really hard, a way for the resolvedDependencies to be populated by both the build process and the builder. Those reported by the (untrusted) build process can be treated as "best effort" while the developers migrate their build process to a state where all dependencies are declared declaratively and can be reported by the builder itself. (Note: "in-build" SBOMs generated by compilers have the same level of trust as dependencies populated by a build process)

I think both of these can be supported using the new annotations https://github.com/in-toto/attestation/pull/143/files

[MarkLodato]

Yes, I agree with using annotations for that. Do you suggest a change the spec, or is it OK to close this issue?

[laurentsimon]

Fine to close since annotations solves the issue. We could add a sentence to mention annotations and possible use cases, for reporting dependencies, but not blocking