get version from attestation (#4)

Author: phuongdnguyen

go.mod

@@ -18,6 +18,7 @@ require (
 )
 
 require (
+	github.com/sigstore/cosign v1.13.1
 	github.com/sigstore/cosign/v2 v2.0.3-0.20230619102641-b0072d56686b
 	gorm.io/driver/sqlite v1.5.2
 )
@@ -130,7 +131,6 @@ require (
 	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mattn/go-sqlite3 v1.14.17 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect

go.sum

@@ -486,7 +486,7 @@ github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.2.0 h1:La19f8d7WIlm4ogzNHB0JGqs5AUDAZ2UfCY4sJXcJdM=
+github.com/hashicorp/go-hclog v1.3.1 h1:vDwF1DFNZhntP4DAjuTpOw3uEgMUpXh1pB5fW9DqHpo=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
@@ -589,9 +589,7 @@ github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsI
 github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.17 h1:mCRHCLDUBXgpKAqIKsaAaAsrAlbkeomtRFKXh2L6YIM=
@@ -699,6 +697,8 @@ github.com/secure-systems-lab/go-securesystemslib v0.6.0/go.mod h1:8Mtpo9JKks/qh
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sigstore/cosign v1.13.1 h1:+5oF8jisEcDw2TuXxCADC1u5//HfdnJhGbpv9Isiwu4=
+github.com/sigstore/cosign v1.13.1/go.mod h1:PlfJODkovUOKsLrGI7Su57Ie/Eb/Ks7hRHw3tn5hQS4=
 github.com/sigstore/cosign/v2 v2.0.3-0.20230619102641-b0072d56686b h1:4dXzC6VFLCXH9r1CqgMSIcd6+P1FToHxzqHIh99MxLs=
 github.com/sigstore/cosign/v2 v2.0.3-0.20230619102641-b0072d56686b/go.mod h1:vITelUMv9WOJQs4XdHao7JCAx8q3QAkDRK7sDrWnN60=
 github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23 h1:eZY7mQFcc0VvNr0fiAK3/n7kh73+T06KzBEIUYzFSDQ=
@@ -1037,7 +1037,6 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1275,7 +1274,7 @@ gorm.io/driver/sqlite v1.5.2/go.mod h1:qxAuCol+2r6PannQDpOP1FP6ag3mKi4esLnB/jHed
 gorm.io/gorm v1.25.1/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
 gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55 h1:sC1Xj4TYrLqg1n3AN10w871An7wJM0gzgcm8jkIkECQ=
 gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
-gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
+gotest.tools/v3 v3.1.0 h1:rVV8Tcg/8jHUkPUorwjaMTtemIMVXfIPKiOqnhEhakk=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

services/container-registry/registry.go

@@ -1,15 +1,21 @@
 package containerregistry
 
 import (
-	"bytes"
 	"context"
+	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"regexp"
+	"strings"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/crane"
-	cdl "github.com/sigstore/cosign/v2/cmd/cosign/cli/download"
+	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/oci"
+	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
 )
 
 type Interface interface {
@@ -54,41 +60,201 @@ func (c *Client) ListTagsWithConstraint(repoName string, constraint string) ([]s
 	return result, nil
 }
 
-func (c *Client) VersionFromSbom(mainPkg string, repo string) (string, error) {
-	type Package struct {
-		Name        string `json:"name"`
-		VersionInfo string `json:"versionInfo"`
-	}
-	type Packages struct {
-		Packages []Package `json:"packages"`
-	}
-	buf := new(bytes.Buffer)
+func (c *Client) VersionFromSbom(mainPkg string, imageRef string) (string, error) {
+	ctx := context.TODO()
+	// type Package struct {
+	// 	Name        string `json:"name"`
+	// 	VersionInfo string `json:"versionInfo"`
+	// }
+	// type Packages struct {
+	// 	Packages []Package `json:"packages"`
+	// }
+	// buf := new(bytes.Buffer)
 	kc := authn.NewMultiKeychain(
 		authn.DefaultKeychain,
 	)
 
-	o := &options.RegistryOptions{Keychain: kc}
-	do := &options.SBOMDownloadOptions{Platform: "linux/amd64"}
-	sboms, err := cdl.SBOMCmd(context.TODO(), *o, *do, repo, buf)
+	regOpts := options.RegistryOptions{Keychain: kc}
+	// do := &options.SBOMDownloadOptions{Platform: "linux/amd64"}
+	// sboms, err := cdl.SBOMCmd(context.TODO(), *o, *do, repo, buf)
+	// if err != nil {
+	// 	return "", err
+	// }
+	// var ps Packages
+
+	// for _, s := range sboms {
+	// 	json.Unmarshal([]byte(s), &ps)
+	// 	for _, v := range ps.Packages {
+	// 		if v.Name == mainPkg {
+	// 			return v.VersionInfo, nil
+	// 		}
+	// 	}
+	// }
+	attOptions := &options.AttestationDownloadOptions{
+		PredicateType: "https://slsa.dev/provenance/v1",
+		Platform:      "linux/amd64",
+	}
+	ref, err := name.ParseReference(imageRef, regOpts.NameOptions()...)
+	if err != nil {
+		return "", err
+	}
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
 	if err != nil {
 		return "", err
 	}
-	var ps Packages
 
-	for _, s := range sboms {
-		json.Unmarshal([]byte(s), &ps)
-		for _, v := range ps.Packages {
-			if v.Name == mainPkg {
-				return v.VersionInfo, nil
-			}
+	var predicateType string
+	predicateType, err = options.ParsePredicateType(attOptions.PredicateType)
+	if err != nil {
+		return "", err
+	}
+
+	se, err := ociremote.SignedEntity(ref, ociremoteOpts...)
+	if err != nil {
+		return "", err
+	}
+
+	idx, isIndex := se.(oci.SignedImageIndex)
+
+	// We only allow --platform on multiarch indexes
+	if attOptions.Platform != "" && !isIndex {
+		return "", fmt.Errorf("specified reference is not a multiarch image")
+	}
+
+	if attOptions.Platform != "" && isIndex {
+		targetPlatform, err := v1.ParsePlatform(attOptions.Platform)
+		if err != nil {
+			return "", fmt.Errorf("parsing platform: %w", err)
+		}
+		platforms, err := getIndexPlatforms(idx)
+		if err != nil {
+			return "", fmt.Errorf("getting available platforms: %w", err)
+		}
+
+		platforms = matchPlatform(targetPlatform, platforms)
+		if len(platforms) == 0 {
+			return "", fmt.Errorf("unable to find an attestation for %s", targetPlatform.String())
+		}
+		if len(platforms) > 1 {
+			return "nil", fmt.Errorf(
+				"platform spec matches more than one image architecture: %s",
+				platforms.String(),
+			)
+		}
+
+		nse, err := idx.SignedImage(platforms[0].hash)
+		if err != nil {
+			return "", fmt.Errorf("searching for %s image: %w", platforms[0].hash.String(), err)
 		}
+		if nse == nil {
+			return "", fmt.Errorf("unable to find image %s", platforms[0].hash.String())
+		}
+		se = nse
+	}
+
+	attestations, err := cosign.FetchAttestations(se, predicateType)
+	if err != nil {
+		return "", err
+	}
+	if len(attestations) > 1 {
+		return "", fmt.Errorf("filtered attestation list is more than one")
 	}
-	return "", nil
+	var a attestationPayload
+	att := attestations[0]
+	pB, err := base64.StdEncoding.DecodeString(att.PayLoad)
+	if err != nil {
+		return "", err
+	}
+	if err := json.Unmarshal(pB, &a); err != nil {
+		return "", err
+	}
+	return a.Predicate.BuildDefinition.InternalParameters[mainPkg], nil
+}
+
+type attestationPayload struct {
+	Predicate predicate `json:"predicate"`
+}
+
+type predicate struct {
+	BuildDefinition buildDefinition `json:"buildDefinition"`
+}
+
+type buildDefinition struct {
+	InternalParameters map[string]string `json:"internalParameters"`
 }
 
+//  cosign download attestation cgr.dev/chainguard/redis --predicate-type https://slsa.dev/provenance/v1  | jq '.payload | @base64d | fromjson | .predicate.buildDefinition.internalParameters.redis'
+
 func (c *Client) getAuthOpt() crane.Option {
 	kc := authn.NewMultiKeychain(
 		authn.DefaultKeychain,
 	)
 	return crane.WithAuthFromKeychain(kc)
 }
+
+func getIndexPlatforms(idx oci.SignedImageIndex) (platformList, error) {
+	im, err := idx.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("fetching index manifest: %w", err)
+	}
+
+	platforms := platformList{}
+	for _, m := range im.Manifests {
+		if m.Platform == nil {
+			continue
+		}
+		platforms = append(platforms, struct {
+			hash     v1.Hash
+			platform *v1.Platform
+		}{m.Digest, m.Platform})
+	}
+	return platforms, nil
+}
+
+// matchPlatform filters a list of platforms returning only those matching
+// a base. "Based" on ko's internal equivalent while it moves to GGCR.
+// https://github.com/google/ko/blob/e6a7a37e26d82a8b2bb6df991c5a6cf6b2728794/pkg/build/gobuild.go#L1020
+func matchPlatform(base *v1.Platform, list platformList) platformList {
+	ret := platformList{}
+	for _, p := range list {
+		if base.OS != "" && base.OS != p.platform.OS {
+			continue
+		}
+		if base.Architecture != "" && base.Architecture != p.platform.Architecture {
+			continue
+		}
+		if base.Variant != "" && base.Variant != p.platform.Variant {
+			continue
+		}
+
+		if base.OSVersion != "" && p.platform.OSVersion != base.OSVersion {
+			if base.OS != "windows" {
+				continue
+			} else { //nolint: revive
+				if pcount, bcount := strings.Count(base.OSVersion, "."), strings.Count(p.platform.OSVersion, "."); pcount == 2 && bcount == 3 {
+					if base.OSVersion != p.platform.OSVersion[:strings.LastIndex(p.platform.OSVersion, ".")] {
+						continue
+					}
+				} else {
+					continue
+				}
+			}
+		}
+		ret = append(ret, p)
+	}
+
+	return ret
+}
+
+type platformList []struct {
+	hash     v1.Hash
+	platform *v1.Platform
+}
+
+func (pl *platformList) String() string {
+	r := []string{}
+	for _, p := range *pl {
+		r = append(r, p.platform.String())
+	}
+	return strings.Join(r, ", ")
+}

services/container-registry/registry_test.go

@@ -36,7 +36,7 @@ func TestListTag(t *testing.T) {
 
 func TestVersionFromSbom(t *testing.T) {
 	c := New()
-	tag, err := c.VersionFromSbom("nginx", "cgr.dev/chainguard/nginx:1.25.1-r0")
+	v, err := c.VersionFromSbom("nginx", "cgr.dev/chainguard/nginx:1.25.1-r0")
 	assert.NoError(t, err)
-	fmt.Printf("sboms: %v\n", tag)
+	fmt.Printf("version: %v\n", v)
 }

services/digest-fetcher/digest_fetcher.go

@@ -95,7 +95,7 @@ func (c *client) Fetch(images []config.Image) error {
 							c.log.Errorf("save digest to db %v", err)
 							break
 						}
-						c.log.Info("saved digest to db")
+						c.log.Infof("saved to db %s %s", v.Name, tag)
 					}
 				}
 			}()

services/digest-fetcher/digetst_fetcher_test.go

@@ -28,8 +28,10 @@ func TestFetch(t *testing.T) {
 		},
 		Images:              images,
 		WorkerFetchInterval: "10s",
+		DB:                  "mysql",
 	}
 	d, err := time.ParseDuration(conf.WorkerFetchInterval)
+	assert.NoError(t, err)
 	storage, err := inject.GetStorage(conf)
 	assert.NoError(t, err)
 	registryClient, err := inject.GetContainerRegistryClient()