search

tektoncd / chains

Supply Chain Security in Tekton Pipelines
Apache License 2.0
246 stars 129 forks source link

Repeated subjects when using v2alpha4 and pipelineruns with deep-inspection enabled #1131

Closed renzodavid9 closed 4 months ago

renzodavid9 commented 4 months ago

Expected Behavior

When calculating the subjects for a statement, using v2alpha4, artifacts that are repeated should appear only once in the list.

Actual Behavior

If a step-result generates an artifact, and the same artifact is generated in another step/task, or referenced in the pipelinerun results, the artifact is repeated in the list of subjects.

Steps to Reproduce the Problem

Run the following PipelineRun with Chains configured to use v2alpha4 and deep-inspection for pipelineruns:

apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
  name: stepaction
spec:
  results:
    - name: art1-ARTIFACT_OUTPUTS
      type: object
      properties:
        uri: {}
        digest: {}
        isBuildArtifact: {}
  image: bash:latest
  script: |
    echo -n "{\"uri\":\"gcr.io/foo/img1\", \"digest\":\"sha256:586789aa031fafc7d78a5393cdc772e0b55107ea54bb8bcf3f2cdac6c6da51ee\", \"isBuildArtifact\": \"true\"}" > $(step.results.art1-ARTIFACT_OUTPUTS.path)
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: task1
spec: 
  results:
    - name: art2-ARTIFACT_OUTPUTS

  steps:
    - name: step
      ref:
        name: stepaction

    - image: bash:latest
      script: |
        echo -n "{\"uri\":\"gcr.io/foo/img1\", \"digest\":\"sha256:586789aa031fafc7d78a5393cdc772e0b55107ea54bb8bcf3f2cdac6c6da51ee\", \"isBuildArtifact\": \"true\"}" > $(results.art2-ARTIFACT_OUTPUTS.path)
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: pipeline
spec:
  results:
    - name: art4-ARTIFACT_OUTPUTS
      value: $(tasks.task2.results.art3-ARTIFACT_OUTPUTS)
  tasks:
    - name: task1
      taskRef:
        name: task1

    - name: task2
      taskSpec:
        results:
          - name: art3-ARTIFACT_OUTPUTS

        steps:
          - name: step
            ref:
              name: stepaction

          - image: bash:latest
            script: |
              echo -n "{\"uri\":\"gcr.io/foo/img1\", \"digest\":\"sha256:586789aa031fafc7d78a5393cdc772e0b55107ea54bb8bcf3f2cdac6c6da51ee\", \"isBuildArtifact\": \"true\"}" > $(results.art3-ARTIFACT_OUTPUTS.path)
---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: pipeline-run
spec:
  pipelineRef:
    name: pipeline

After the attestation is generated the subjects look like this:

{
    "type": "https://in-toto.io/Statement/v1",
    "subject": [
        {
            "name": "gcr.io/foo/img1",
            "digest": {
                "sha256": "586789aa031fafc7d78a5393cdc772e0b55107ea54bb8bcf3f2cdac6c6da51ee"
            }
        },
        {
            "name": "gcr.io/foo/img1",
            "digest": {
                "sha256": "586789aa031fafc7d78a5393cdc772e0b55107ea54bb8bcf3f2cdac6c6da51ee"
            }
        }
    ],
...

The same artifact is repeated.

Additional Info