refactor in-toto-golang to in-toto/attestation

kpauljoseph · kpauljoseph · commit 7de2874d71b0 · 2025-07-18T15:55:39.000+05:30
refactor v0.1/v0.2 slsa predicates with new attestation
protos.
update parser to use new protobuf types and timestamp handling
fix tests and remove obsolete fields from test data
diff --git a/go.mod b/go.mod
@@ -313,7 +313,7 @@ require (
 	github.com/google/osv-scanner v1.9.2
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/in-toto/attestation v1.1.1
+	github.com/in-toto/attestation v1.1.2
 	github.com/jedib0t/go-pretty/v6 v6.6.7
 	github.com/jeremywohl/flatten v1.0.1
 	github.com/json-iterator/go v1.1.12
diff --git a/go.sum b/go.sum
@@ -804,8 +804,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20240912202439-0a2b6291aafd h1:EVX1s+XNss9jkRW9K6XGJn2jL2lB1h5H804oKPsxOec=
 github.com/ianlancetaylor/demangle v0.0.0-20240912202439-0a2b6291aafd/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
-github.com/in-toto/attestation v1.1.1 h1:QD3d+oATQ0dFsWoNh5oT0udQ3tUrOsZZ0Fc3tSgWbzI=
-github.com/in-toto/attestation v1.1.1/go.mod h1:Dcq1zVwA2V7Qin8I7rgOi+i837wEf/mOZwRm047Sjys=
+github.com/in-toto/attestation v1.1.2 h1:MBFn6lsMq6dptQZJBhalXTcWMb/aJy3V+GX3VYj/V1E=
+github.com/in-toto/attestation v1.1.2/go.mod h1:gYFddHMZj3DiQ0b62ltNi1Vj5rC879bTmBbrv9CRHpM=
 github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
 github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -571,15 +571,12 @@ var (
 					SlsaPredicate: []model.SLSAPredicateInputSpec{
 						{Key: "slsa.metadata.completeness.environment", Value: "true"},
 						{Key: "slsa.metadata.buildStartedOn", Value: "2020-08-19T08:38:00Z"},
-						{Key: "slsa.metadata.completeness.materials", Value: "false"},
 						{Key: "slsa.buildType", Value: "https://github.com/Attestations/GitHubActionsWorkflow@v1"},
 						{Key: "slsa.invocation.configSource.entryPoint", Value: "build.yaml:maketgz"},
 						{Key: "slsa.invocation.configSource.uri", Value: "git+https://github.com/curl/curl-docker@master"},
-						{Key: "slsa.metadata.reproducible", Value: "false"},
 						{Key: "slsa.materials.0.uri", Value: "git+https://github.com/curl/curl-docker@master"},
 						{Key: "slsa.builder.id", Value: "https://github.com/Attestations/GitHubHostedActions@v1"},
 						{Key: "slsa.invocation.configSource.digest.sha1", Value: "d6525c840a62b398424a78d792f457477135d0cf"},
-						{Key: "slsa.metadata.completeness.parameters", Value: "false"},
 						{Key: "slsa.materials.0.digest.sha1", Value: "24279c5185ddc042896e3748f47fa89b48c1c14e"},
 						{Key: "slsa.materials.1.uri", Value: "github_hosted_vm:ubuntu-18.04:20210123.1"},
 						{Key: "slsa.materials.1.digest.sha1", Value: "0bcaaa161e719bca41b6d33fc02547c0f97d5397"},
diff --git a/pkg/ingestor/parser/slsa/parser_slsa.go b/pkg/ingestor/parser/slsa/parser_slsa.go
@@ -25,11 +25,10 @@ import (
 
 	jsoniter "github.com/json-iterator/go"
 
+	slsa01 "github.com/in-toto/attestation/go/predicates/provenance/v01"
+	slsa02 "github.com/in-toto/attestation/go/predicates/provenance/v02"
 	slsa1 "github.com/in-toto/attestation/go/predicates/provenance/v1"
 	attestationv1 "github.com/in-toto/attestation/go/v1"
-	scommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
-	slsa01 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1"
-	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
 	"github.com/jeremywohl/flatten"
 	"google.golang.org/protobuf/encoding/protojson"
 
@@ -46,6 +45,8 @@ import (
 // - An IsOccurence input spec which will generate a predicate for each occurence
 
 const PredicateSLSAProvenancev1 = "https://slsa.dev/provenance/v1"
+const PredicateSLSAProvenancev01 = "https://slsa.dev/provenance/v0.1"
+const PredicateSLSAProvenancev02 = "https://slsa.dev/provenance/v0.2"
 
 var ErrMetadataNil = errors.New("SLSA Metadata is nil")
 var ErrBuilderNil = errors.New("SLSA Builder is nil")
@@ -61,8 +62,8 @@ type slsaEntity struct {
 }
 
 type slsaParser struct {
-	pred01            *slsa01.ProvenancePredicate
-	pred02            *slsa02.ProvenancePredicate
+	pred01            *slsa01.Provenance
+	pred02            *slsa02.Provenance
 	pred1             *slsa1.Provenance
 	smt               *attestationv1.Statement
 	subjects          []*slsaEntity
@@ -89,7 +90,6 @@ func (s *slsaParser) initializeSLSAParser() {
 	s.subjects = make([]*slsaEntity, 0)
 	s.materials = make([]*slsaEntity, 0)
 	s.bareMaterials = make([]*model.ArtifactInputSpec, 0)
-	s.bareMaterials = make([]*model.ArtifactInputSpec, 0)
 	s.builder = nil
 	s.slsaAttestation = nil
 	s.identifierStrings = &common.IdentifierStrings{}
@@ -131,12 +131,12 @@ func (s *slsaParser) getSubject() error {
 
 func (s *slsaParser) getMaterials() error {
 	switch s.smt.PredicateType {
-	case slsa01.PredicateSLSAProvenance:
-		if err := s.getMaterials0(s.pred01.Materials); err != nil {
+	case PredicateSLSAProvenancev01:
+		if err := s.getMaterials01(s.pred01.Materials); err != nil {
 			return err
 		}
-	case slsa02.PredicateSLSAProvenance:
-		if err := s.getMaterials0(s.pred02.Materials); err != nil {
+	case PredicateSLSAProvenancev02:
+		if err := s.getMaterials02(s.pred02.Materials); err != nil {
 			return err
 		}
 	case PredicateSLSAProvenancev1:
@@ -174,11 +174,24 @@ func (s *slsaParser) getMaterials1(rds []*attestationv1.ResourceDescriptor) erro
 	return nil
 }
 
-func (s *slsaParser) getMaterials0(materials []scommon.ProvenanceMaterial) error {
+func (s *slsaParser) getMaterials01(materials []*slsa01.Material) error {
+	// append dependency nodes for the materials
+	for _, mat := range materials {
+		s.identifierStrings.UnclassifiedStrings = append(s.identifierStrings.UnclassifiedStrings, mat.Uri)
+		se, err := getSlsaEntity("", mat.Uri, mat.Digest)
+		if err != nil {
+			return err
+		}
+		s.materials = append(s.materials, se)
+	}
+	return nil
+}
+
+func (s *slsaParser) getMaterials02(materials []*slsa02.Material) error {
 	// append dependency nodes for the materials
 	for _, mat := range materials {
-		s.identifierStrings.UnclassifiedStrings = append(s.identifierStrings.UnclassifiedStrings, mat.URI)
-		se, err := getSlsaEntity("", mat.URI, mat.Digest)
+		s.identifierStrings.UnclassifiedStrings = append(s.identifierStrings.UnclassifiedStrings, mat.Uri)
+		se, err := getSlsaEntity("", mat.Uri, mat.Digest)
 		if err != nil {
 			return err
 		}
@@ -187,7 +200,7 @@ func (s *slsaParser) getMaterials0(materials []scommon.ProvenanceMaterial) error
 	return nil
 }
 
-func getArtifacts(digests scommon.DigestSet) []*model.ArtifactInputSpec {
+func getArtifacts(digests map[string]string) []*model.ArtifactInputSpec {
 	var artifacts []*model.ArtifactInputSpec
 	for alg, ds := range digests {
 		artifacts = append(artifacts, &model.ArtifactInputSpec{
@@ -198,7 +211,7 @@ func getArtifacts(digests scommon.DigestSet) []*model.ArtifactInputSpec {
 	return artifacts
 }
 
-func getSlsaEntity(name, uri string, digests scommon.DigestSet) (*slsaEntity, error) {
+func getSlsaEntity(name, uri string, digests map[string]string) (*slsaEntity, error) {
 	artifacts := getArtifacts(digests)
 	slsa := &slsaEntity{
 		artifacts: artifacts,
@@ -231,33 +244,39 @@ func getSlsaEntity(name, uri string, digests scommon.DigestSet) (*slsaEntity, er
 	return nil, fmt.Errorf("%w unable to get Guac Generic Purl, this should not happen", err)
 }
 
-func fillSLSA01(inp *model.SLSAInputSpec, pred *slsa01.ProvenancePredicate) error {
-	inp.BuildType = pred.Recipe.Type
+func fillSLSA01(inp *model.SLSAInputSpec, pred *slsa01.Provenance) error {
+	if pred.Recipe != nil {
+		inp.BuildType = pred.Recipe.Type
+	}
 
 	if pred.Metadata == nil {
 		return ErrMetadataNil
 	}
 	if pred.Metadata.BuildStartedOn != nil {
-		inp.StartedOn = pred.Metadata.BuildStartedOn
+		startTimePB := time.Unix(pred.Metadata.BuildStartedOn.GetSeconds(), int64(pred.Metadata.BuildStartedOn.GetNanos()))
+		inp.StartedOn = &startTimePB
 	}
 	if pred.Metadata.BuildFinishedOn != nil {
-		inp.FinishedOn = pred.Metadata.BuildFinishedOn
+		finishTimePB := time.Unix(pred.Metadata.BuildFinishedOn.GetSeconds(), int64(pred.Metadata.BuildFinishedOn.GetNanos()))
+		inp.FinishedOn = &finishTimePB
 	}
 
 	return nil
 }
 
-func fillSLSA02(inp *model.SLSAInputSpec, pred *slsa02.ProvenancePredicate) error {
+func fillSLSA02(inp *model.SLSAInputSpec, pred *slsa02.Provenance) error {
 	inp.BuildType = pred.BuildType
 
 	if pred.Metadata == nil {
 		return ErrMetadataNil
 	}
 	if pred.Metadata.BuildStartedOn != nil {
-		inp.StartedOn = pred.Metadata.BuildStartedOn
+		startTimePB := time.Unix(pred.Metadata.BuildStartedOn.GetSeconds(), int64(pred.Metadata.BuildStartedOn.GetNanos()))
+		inp.StartedOn = &startTimePB
 	}
 	if pred.Metadata.BuildFinishedOn != nil {
-		inp.FinishedOn = pred.Metadata.BuildStartedOn
+		finishTimePB := time.Unix(pred.Metadata.BuildFinishedOn.GetSeconds(), int64(pred.Metadata.BuildFinishedOn.GetNanos()))
+		inp.FinishedOn = &finishTimePB
 	}
 	return nil
 }
@@ -272,7 +291,7 @@ func fillSLSA1(inp *model.SLSAInputSpec, pred *slsa1.Provenance) error {
 		inp.StartedOn = &startTimePB
 	}
 	if pred.RunDetails.Metadata.FinishedOn != nil {
-		finishTimePB := time.Unix(pred.RunDetails.Metadata.StartedOn.GetSeconds(), int64(pred.RunDetails.Metadata.StartedOn.GetNanos()))
+		finishTimePB := time.Unix(pred.RunDetails.Metadata.FinishedOn.GetSeconds(), int64(pred.RunDetails.Metadata.FinishedOn.GetNanos()))
 		inp.FinishedOn = &finishTimePB
 	}
 	return nil
@@ -286,18 +305,18 @@ func (s *slsaParser) getSLSA() error {
 	var data []byte
 	var err error
 	switch s.smt.PredicateType {
-	case slsa01.PredicateSLSAProvenance:
+	case PredicateSLSAProvenancev01:
 		if err := fillSLSA01(inp, s.pred01); err != nil {
 			return fmt.Errorf("could not fill SLSA01: %w", err)
 		}
-		if data, err = json.Marshal(s.pred01); err != nil {
+		if data, err = protojson.Marshal(s.pred01); err != nil {
 			return fmt.Errorf("could not marshal SLSA01: %w", err)
 		}
-	case slsa02.PredicateSLSAProvenance:
+	case PredicateSLSAProvenancev02:
 		if err := fillSLSA02(inp, s.pred02); err != nil {
 			return fmt.Errorf("could not fill SLSA02: %w", err)
 		}
-		if data, err = json.Marshal(s.pred02); err != nil {
+		if data, err = protojson.Marshal(s.pred02); err != nil {
 			return fmt.Errorf("could not marshal SLSA02: %w", err)
 		}
 	case PredicateSLSAProvenancev1:
@@ -335,10 +354,10 @@ func (s *slsaParser) getSLSA() error {
 func (s *slsaParser) getBuilder() error {
 	s.builder = &model.BuilderInputSpec{}
 	switch s.smt.PredicateType {
-	case slsa01.PredicateSLSAProvenance:
-		s.builder.Uri = s.pred01.Builder.ID
-	case slsa02.PredicateSLSAProvenance:
-		s.builder.Uri = s.pred02.Builder.ID
+	case PredicateSLSAProvenancev01:
+		s.builder.Uri = s.pred01.Builder.Id
+	case PredicateSLSAProvenancev02:
+		s.builder.Uri = s.pred02.Builder.Id
 	case PredicateSLSAProvenancev1:
 		if s.pred1.RunDetails == nil || s.pred1.RunDetails.Builder == nil {
 			return ErrBuilderNil
@@ -360,14 +379,14 @@ func (s *slsaParser) parseSlsaPredicate(p []byte) error {
 	}
 
 	switch s.smt.PredicateType {
-	case slsa01.PredicateSLSAProvenance:
-		s.pred01 = &slsa01.ProvenancePredicate{}
-		if err := json.Unmarshal(predBytes, s.pred01); err != nil {
+	case PredicateSLSAProvenancev01:
+		s.pred01 = &slsa01.Provenance{}
+		if err := protojson.Unmarshal(predBytes, s.pred01); err != nil {
 			return fmt.Errorf("Could not unmarshal v0.1 SLSA provenance statement : %w", err)
 		}
-	case slsa02.PredicateSLSAProvenance:
-		s.pred02 = &slsa02.ProvenancePredicate{}
-		if err := json.Unmarshal(predBytes, s.pred02); err != nil {
+	case PredicateSLSAProvenancev02:
+		s.pred02 = &slsa02.Provenance{}
+		if err := protojson.Unmarshal(predBytes, s.pred02); err != nil {
 			return fmt.Errorf("Could not unmarshal v0.2 SLSA provenance statement : %w", err)
 		}
 	case PredicateSLSAProvenancev1:
diff --git a/pkg/ingestor/parser/slsa/parser_slsa_test.go b/pkg/ingestor/parser/slsa/parser_slsa_test.go
@@ -17,21 +17,18 @@ package slsa
 
 import (
 	"context"
+	slsa01 "github.com/in-toto/attestation/go/predicates/provenance/v01"
 	"reflect"
 	"testing"
 	"time"
 
-	scommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
-	slsa01 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1"
-
-	"github.com/in-toto/in-toto-golang/in_toto"
-
 	"github.com/google/go-cmp/cmp"
 	"github.com/guacsec/guac/internal/testing/testdata"
 	"github.com/guacsec/guac/pkg/assembler"
 	model "github.com/guacsec/guac/pkg/assembler/clients/generated"
 	"github.com/guacsec/guac/pkg/handler/processor"
 	"github.com/guacsec/guac/pkg/logging"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func Test_slsaParser(t *testing.T) {
@@ -85,9 +82,11 @@ func Test_slsaParser(t *testing.T) {
 func Test_fillSLSA01(t *testing.T) {
 	startTime := time.Now()
 	endTime := time.Now()
+	startTimePB := timestamppb.New(startTime)
+	endTimePB := timestamppb.New(endTime)
 	type args struct {
 		inp  *model.SLSAInputSpec
-		stmt *in_toto.ProvenanceStatementSLSA01
+		stmt *slsa01.Provenance
 	}
 	tests := []struct {
 		name string
@@ -98,15 +97,13 @@ func Test_fillSLSA01(t *testing.T) {
 			name: "default",
 			args: args{
 				inp: &model.SLSAInputSpec{},
-				stmt: &in_toto.ProvenanceStatementSLSA01{
-					Predicate: slsa01.ProvenancePredicate{
-						Metadata: &slsa01.ProvenanceMetadata{
-							BuildStartedOn:  &startTime,
-							BuildFinishedOn: &endTime,
-						},
-						Recipe: slsa01.ProvenanceRecipe{
-							Type: "test",
-						},
+				stmt: &slsa01.Provenance{
+					Metadata: &slsa01.Metadata{
+						BuildStartedOn:  startTimePB,
+						BuildFinishedOn: endTimePB,
+					},
+					Recipe: &slsa01.Recipe{
+						Type: "test",
 					},
 				},
 			},
@@ -115,14 +112,14 @@ func Test_fillSLSA01(t *testing.T) {
 			name: "stmt predicate metadata is nil",
 			args: args{
 				inp:  &model.SLSAInputSpec{},
-				stmt: &in_toto.ProvenanceStatementSLSA01{},
+				stmt: &slsa01.Provenance{},
 			},
 			err: ErrMetadataNil,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			err := fillSLSA01(test.args.inp, &test.args.stmt.Predicate)
+			err := fillSLSA01(test.args.inp, test.args.stmt)
 			if err != test.err {
 				t.Fatalf("fillSLSA01() error = %v, expected error %v", err, test.err)
 			}
@@ -133,14 +130,20 @@ func Test_fillSLSA01(t *testing.T) {
 				return
 			}
 
-			if test.args.inp.BuildType != test.args.stmt.Predicate.Recipe.Type {
-				t.Errorf("fillSLSA01() inp.BuildType not equal to stmt.Predicate.Recipe.Type")
+			if test.args.inp.BuildType != test.args.stmt.Recipe.Type {
+				t.Errorf("fillSLSA01() inp.BuildType not equal to stmt.Recipe.Type")
 			}
-			if test.args.inp.StartedOn != test.args.stmt.Predicate.Metadata.BuildStartedOn {
-				t.Errorf("fillSLSA01() inp.BuildStartedOn not equal to stmt.Predicate.Metadata.BuildStartedOn")
+			if test.args.stmt.Metadata != nil && test.args.stmt.Metadata.BuildStartedOn != nil {
+				expectedStartTime := time.Unix(test.args.stmt.Metadata.BuildStartedOn.GetSeconds(), int64(test.args.stmt.Metadata.BuildStartedOn.GetNanos()))
+				if test.args.inp.StartedOn != nil && !test.args.inp.StartedOn.Equal(expectedStartTime) {
+					t.Errorf("fillSLSA01() inp.StartedOn not equal to expected time")
+				}
 			}
-			if test.args.inp.FinishedOn != test.args.stmt.Predicate.Metadata.BuildFinishedOn {
-				t.Errorf("fillSLSA01() inp.BuildFinishedOn not equal to stmt.Predicate.Metadata.BuildFinishedOn")
+			if test.args.stmt.Metadata != nil && test.args.stmt.Metadata.BuildFinishedOn != nil {
+				expectedFinishTime := time.Unix(test.args.stmt.Metadata.BuildFinishedOn.GetSeconds(), int64(test.args.stmt.Metadata.BuildFinishedOn.GetNanos()))
+				if test.args.inp.FinishedOn != nil && !test.args.inp.FinishedOn.Equal(expectedFinishTime) {
+					t.Errorf("fillSLSA01() inp.FinishedOn not equal to expected time")
+				}
 			}
 		})
 	}
@@ -155,14 +158,14 @@ func Test_getSlsaEntity(t *testing.T) {
 		testname string
 		uri      string
 		name     string
-		digest   scommon.DigestSet
+		digest   map[string]string
 		expected *slsaEntity
 		wantErr  bool
 	}{
 		{
 			testname: "with uri and digest",
 			uri:      "pkg:npm/sigstore/sigstore-js@4.2.0",
-			digest: scommon.DigestSet{
+			digest: map[string]string{
 				"sha1": "428601801d1f5d105351a403f58c38269de93f680",
 			},
 			expected: &slsaEntity{
@@ -188,7 +191,7 @@ func Test_getSlsaEntity(t *testing.T) {
 		{
 			testname: "with name and digest",
 			name:     "sigstore",
-			digest: scommon.DigestSet{
+			digest: map[string]string{
 				"sha1": "428601801d1f5d105351a403f58c38269de93f680",
 			},
 			expected: &slsaEntity{
@@ -213,7 +216,7 @@ func Test_getSlsaEntity(t *testing.T) {
 		},
 		{
 			testname: "without name and uri",
-			digest: scommon.DigestSet{
+			digest: map[string]string{
 				"sha1": "428601801d1f5d105351a403f58c38269de93f680",
 			},
 			wantErr: true,
