feat(ISV-6756): log a warning when missing build_finished_on timestamp

jedinym · jedinym · commit 4a2659d352f4 · 2026-04-13T11:12:08.000+02:00
Signed-off-by: Martin Jediny &lt;jedinym@proton.me&gt;
diff --git a/src/mobster/oci/artifact.py b/src/mobster/oci/artifact.py
@@ -34,7 +34,7 @@ class SLSAProvenance:
     """
 
     def __init__(
-        self, build_finished_on: datetime.datetime, sbom_digests: dict[str, str]
+        self, build_finished_on: datetime.datetime | None, sbom_digests: dict[str, str]
     ) -> None:
         self._build_finished_on = build_finished_on
         self._sbom_digests: dict[str, str] = sbom_digests
@@ -96,9 +96,7 @@ def _parse_v02(predicate: Any) -> "SLSAProvenance":
         if finished_on:
             build_finished_on = dateutil.parser.isoparse(finished_on)
         else:
-            build_finished_on = datetime.datetime.min.replace(
-                tzinfo=datetime.timezone.utc
-            )
+            build_finished_on = None
 
         # map image digests to sbom blob digests
         sbom_blob_urls: dict[str, str] = {}
@@ -139,9 +137,7 @@ def _parse_v1(predicate: Any) -> "SLSAProvenance":
         if finished_on:
             build_finished_on = dateutil.parser.isoparse(finished_on)
         else:
-            build_finished_on = datetime.datetime.min.replace(
-                tzinfo=datetime.timezone.utc
-            )
+            build_finished_on = None
 
         image_digests: dict[str, str] = {}
         sbom_digests: dict[str, str] = {}
@@ -188,13 +184,13 @@ def _parse_v1(predicate: Any) -> "SLSAProvenance":
         return SLSAProvenance(build_finished_on, sbom_blob_urls)
 
     @property
-    def build_finished_on(self) -> datetime.datetime:
+    def build_finished_on(self) -> datetime.datetime | None:
         """
         Get the timestamp when the build finished.
 
         Returns:
-            The build completion timestamp, or datetime.min with UTC timezone
-            if the timestamp was not available in the provenance data.
+            The build completion timestamp, or None if the timestamp was not
+            available in the provenance data.
         """
         return self._build_finished_on
 
diff --git a/src/mobster/oci/cosign/static.py b/src/mobster/oci/cosign/static.py
@@ -5,6 +5,7 @@
 import os
 import tempfile
 import typing
+from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any, Literal
 
@@ -127,7 +128,19 @@ async def fetch_latest_provenance(self, image: Image) -> SLSAProvenance:
         if len(provenances) == 0:
             raise SBOMError(f"No provenances parsed for image {image}.")
 
-        return sorted(provenances, key=lambda x: x.build_finished_on, reverse=True)[0]
+        # sort the provenances to ensure we attempt to use the latest one
+        if any(p.build_finished_on is None for p in provenances):
+            logger.warning(
+                "Some fetched provenances are missing build_finished_on information. "
+                "datetime.min will be used as fallback for sorting."
+            )
+
+        def key_by_build_finished_on(prov: SLSAProvenance) -> datetime:
+            if prov.build_finished_on is not None:
+                return prov.build_finished_on
+            return datetime.min.replace(tzinfo=timezone.utc)
+
+        return sorted(provenances, key=key_by_build_finished_on, reverse=True)[0]
 
     async def fetch_attested_sbom(
         self, image: Image, sbom_format: SBOMFormat
diff --git a/tests/oci/test_oci.py b/tests/oci/test_oci.py
@@ -449,9 +449,7 @@ def test_v02_missing_build_finished_on(self) -> None:
 
         prov = SLSAProvenance.parse(raw)
 
-        assert prov.build_finished_on == datetime.datetime.min.replace(
-            tzinfo=datetime.timezone.utc
-        )
+        assert prov.build_finished_on is None
 
     def test_v02_task_missing_sbom_blob_url(self) -> None:
         raw = _make_slsa_raw(
@@ -531,9 +529,7 @@ def test_v1_missing_finished_on(self) -> None:
 
         prov = SLSAProvenance.parse(raw)
 
-        assert prov.build_finished_on == datetime.datetime.min.replace(
-            tzinfo=datetime.timezone.utc
-        )
+        assert prov.build_finished_on is None
 
     def test_v1_bad_base64_in_byproduct(self) -> None:
         raw = _make_slsa_raw(
