search

tektoncd / chains

Supply Chain Security in Tekton Pipelines
Apache License 2.0
240 stars 125 forks source link

Wrong subjects returned when storing in grafeas #1133

Closed renzodavid9 closed 1 month ago

renzodavid9 commented 1 month ago

Expected Behavior

The subjects used to calculate grafeas occurrences should be calculated according to the formatter version used. The way v2alpha3 and v1 calculate subjects is different from the way v2alpha4 does it.

Actual Behavior

When using grafeas as a backend, and payload formatter v2alpha4, the subjects from the provenance, used to calculate occurrences, are not right, the subjects are calculated using the same logic all the time, without considering the formatter version:

https://github.com/tektoncd/chains/blob/badc7340a7c749979af6e02e545d870b554830af/pkg/chains/storage/grafeas/grafeas.go#L256

Steps to Reproduce the Problem

  1. Configure grafeas backend

  2. Using this workflow:

    
apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
name: stepaction
spec:
results:
- name: art1-ARTIFACT_OUTPUTS
  type: object
  properties:
    uri: {}
    digest: {}
    isBuildArtifact: {}
- name: art1-other-ARTIFACT_OUTPUTS
  type: object
  properties:
    uri: {}
    digest: {}
    isBuildArtifact: {}
image: bash:latest
script: |
echo -n "{\"uri\":\"gcr.io/foo/img02\", \"digest\":\"sha256:f7b93fed74352c53e7fd82f1e890723f04a963fcd344c65855c57a1972fbe02d\", \"isBuildArtifact\": \"true\"}" > $(step.results.art1-ARTIFACT_OUTPUTS.path)
echo -n "{\"uri\":\"gcr.io/foo/img03\", \"digest\":\"sha256:fc1f2bab34c4cc65abcdcafd34835f1928663458340bca0e9d61eee39efb4842\", \"isBuildArtifact\": \"true\"}" > $(step.results.art1-other-ARTIFACT_OUTPUTS.path)
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: task1
spec: 
results:
- name: art2-ARTIFACT_OUTPUTS
  type: object
  properties:
    uri: {}
    digest: {}
    isBuildArtifact: {}

steps:
- name: step
  ref:
    name: stepaction

- image: bash:latest
  script: |
    echo -n "{\"uri\":\"gcr.io/foo/img05\", \"digest\":\"sha256:21ff370d4db229a025067f52f87ac9c1bead8cd1068b72febadfa3e45f377101\", \"isBuildArtifact\": \"true\"}" > $(results.art2-ARTIFACT_OUTPUTS.path)
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: pipeline
spec:
results:
- name: art4-ARTIFACT_OUTPUTS
  value: $(tasks.task2.results.art3-ARTIFACT_OUTPUTS)
tasks:
- name: task1
  taskRef:
    name: task1

- name: task2
  taskSpec:
    results:
      - name: art3-ARTIFACT_OUTPUTS
        type: object
        properties:
          uri: {}
          digest: {}

    steps:
      - name: step
        ref:
          name: stepaction

      - image: bash:latest
        script: |
          echo -n "{\"uri\":\"gcr.io/foo/img02\", \"digest\":\"sha256:f7b93fed74352c53e7fd82f1e890723f04a963fcd344c65855c57a1972fbe02d\"}" > $(results.art3-ARTIFACT_OUTPUTS.path)
---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: pipeline-run
spec:
pipelineRef:
name: pipeline

4. After generating the attestation you will see in the `deployment/tekton-chains-controller` logs that only 3 occurrences  were uploaded, it should be 4.