Skip to content

Commit 58f729c

Browse files
authored
Merge branch 'conforma:main' into feature/maven_sbom_check
2 parents d471a1a + 56bdd99 commit 58f729c

2 files changed

Lines changed: 37 additions & 1 deletion

File tree

policy/release/lib/attestations.rego

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,11 @@ _build_finished_on(att) := timestamp if {
4646
# Try SLSA v0.2 path first
4747
timestamp := att.statement.predicate.metadata.buildFinishedOn
4848
} else := timestamp if {
49-
# Fallback to SLSA v1.0 path if v0.2 doesn't exist
49+
# Fallback to SLSA v1.0 path (Tekton Chains non-standard field)
5050
timestamp := att.statement.predicate.runDetails.metadata.buildFinishedOn
51+
} else := timestamp if {
52+
# Fallback to SLSA v1.0 spec-compliant path
53+
timestamp := att.statement.predicate.runDetails.metadata.finishedOn
5154
}
5255

5356
# Returns the latest PipelineRun attestation per type (SLSA v0.2 and v1.0)

policy/release/lib/attestations_test.rego

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -438,6 +438,39 @@ _attestation_v1_with_metadata(build_finished_on, tasks) := {"statement": {
438438
},
439439
}}
440440

441+
# Helper to create SLSA v1.0 attestation with spec-compliant finishedOn
442+
_attestation_v1_with_finished_on(finished_on, tasks) := {"statement": {
443+
"predicateType": "https://slsa.dev/provenance/v1",
444+
"predicate": {
445+
"buildDefinition": {
446+
"buildType": lib.tekton_slsav1_pipeline_run,
447+
"externalParameters": {"runSpec": {"pipelineSpec": {}}},
448+
"resolvedDependencies": array.concat(tekton_test.resolved_dependencies(tasks), _mock_materials),
449+
},
450+
"runDetails": {"metadata": {
451+
"finishedOn": finished_on,
452+
"startedOn": "2025-01-01T00:00:00Z",
453+
}},
454+
},
455+
}}
456+
457+
test_pipelinerun_attestations_single_v1_finished_on if {
458+
# Single v1.0 attestation using spec-compliant finishedOn - should be returned
459+
att := _attestation_v1_with_finished_on("2025-01-20T15:45:00Z", [_build_task])
460+
expected := [att]
461+
assertions.assert_equal(expected, lib.pipelinerun_attestations) with input.attestations as [att]
462+
}
463+
464+
test_pipelinerun_attestations_multiple_v1_finished_on if {
465+
# Multiple v1.0 attestations using spec-compliant finishedOn - should return the latest
466+
att1 := _attestation_v1_with_finished_on("2025-01-15T10:30:00Z", [_build_task])
467+
att2 := _attestation_v1_with_finished_on("2025-01-20T15:45:00Z", [_build_task])
468+
att3 := _attestation_v1_with_finished_on("2025-01-18T12:00:00Z", [_build_task])
469+
attestations := [att1, att2, att3]
470+
expected := [att2]
471+
assertions.assert_equal(expected, lib.pipelinerun_attestations) with input.attestations as attestations
472+
}
473+
441474
test_pipelinerun_attestations_single_v02 if {
442475
# Test single v0.2 attestation
443476
att := _attestation_v02_with_metadata("2025-01-15T10:30:00Z", [_build_task])

0 commit comments

Comments
 (0)