Skip to content

Commit c730634

Browse files
loosebazookaloosebazooka
committed
Add github attestations verifier to slsa-verifier
There are no default builder ids for verify-github-attestation. This can perhaps be made a little more generic where any builder as long as it conforms to spec and is provided via the --builder-id flag release-workflow: https://github.com/bazel-contrib/.github/.github/workflows/release_ruleset.yaml publish-workflow: https://github.com/bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml Signed-off-by: Appu Goundan <[email protected]>
1 parent b53bd94 commit c730634

19 files changed

+401
-0
lines changed

Diff for: cli/slsa-verifier/main.go

+1
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ For more information on SLSA, visit https://slsa.dev`,
3535
}
3636
c.AddCommand(version.Version())
3737
c.AddCommand(verifyArtifactCmd())
38+
c.AddCommand(verifyGithubAttestation())
3839
c.AddCommand(verifyImageCmd())
3940
c.AddCommand(verifyNpmPackageCmd())
4041
c.AddCommand(verifyVSACmd())

Diff for: cli/slsa-verifier/main_regression_test.go

+81
Original file line numberDiff line numberDiff line change
@@ -1510,6 +1510,75 @@ func Test_runVerifyGHAContainerBased(t *testing.T) {
15101510
}
15111511
}
15121512

1513+
func Test_runVerifyGithubAttestation(t *testing.T) {
1514+
t.Parallel()
1515+
os.Setenv("SLSA_VERIFIER_EXPERIMENTAL", "1")
1516+
1517+
bcrReleaserBuilderID := "https://github.com/bazel-contrib/.github/.github/workflows/release_ruleset.yaml"
1518+
bcrPublisherBuilderID := "https://github.com/bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml"
1519+
1520+
tests := []struct {
1521+
name string
1522+
artifact string
1523+
source string
1524+
builderID string
1525+
err error
1526+
}{
1527+
{
1528+
name: "module.bazel using publishing builder",
1529+
artifact: "MODULE.bazel",
1530+
source: "github.com/aspect-build/rules_lint",
1531+
builderID: bcrPublisherBuilderID,
1532+
},
1533+
{
1534+
name: "source archive using release builder",
1535+
artifact: "rules_lint-v1.3.1.tar.gz",
1536+
source: "github.com/aspect-build/rules_lint",
1537+
builderID: bcrReleaserBuilderID,
1538+
},
1539+
{
1540+
name: "module.bazel wrong signer",
1541+
artifact: "MODULE-wrong-signer.bazel",
1542+
source: "github.com/aspect-build/rules_lint",
1543+
builderID: bcrPublisherBuilderID,
1544+
err: serrors.ErrorUntrustedReusableWorkflow,
1545+
},
1546+
{
1547+
name: "module.bazel no builder id",
1548+
artifact: "MODULE.bazel",
1549+
source: "github.com/aspect-build/rules_lint",
1550+
err: serrors.ErrorUntrustedReusableWorkflow,
1551+
},
1552+
{
1553+
name: "source archive no builder id",
1554+
artifact: "rules_lint-v1.3.1.tar.gz",
1555+
source: "github.com/aspect-build/rules_lint",
1556+
err: serrors.ErrorUntrustedReusableWorkflow,
1557+
},
1558+
}
1559+
1560+
for _, tt := range tests {
1561+
t.Run(tt.name, func(t *testing.T) {
1562+
t.Parallel()
1563+
1564+
artifactPath := filepath.Clean(filepath.Join(TEST_DIR, "bcr", tt.artifact))
1565+
// we treat these single entry *.intoto.jsonl bundles as single attestations
1566+
provenancePath := fmt.Sprintf("%s.intoto.jsonl", artifactPath)
1567+
cmd := verify.VerifyGithubAttestationCommand{
1568+
ProvenancePath: provenancePath,
1569+
BuilderID: &tt.builderID,
1570+
SourceURI: tt.source,
1571+
}
1572+
1573+
_, err := cmd.Exec(context.Background(), artifactPath)
1574+
if !errCmp(tt.err, err) {
1575+
t.Errorf("unexpected error (-want +got):\n%s", cmp.Diff(err, tt.err, cmpopts.EquateErrors()))
1576+
}
1577+
})
1578+
}
1579+
1580+
}
1581+
15131582
func Test_runVerifyNpmPackage(t *testing.T) {
15141583
// We cannot use t.Setenv due to parallelized tests.
15151584
os.Setenv("SLSA_VERIFIER_EXPERIMENTAL", "1")
@@ -2063,3 +2132,15 @@ func Test_runVerifyVSA(t *testing.T) {
20632132
func pointerTo[K any](object K) *K {
20642133
return &object
20652134
}
2135+
2136+
func unwrapFull(t *testing.T, err error) error {
2137+
for err != nil {
2138+
t.Logf("%v", err)
2139+
unwrapped := errors.Unwrap(err)
2140+
if unwrapped == nil {
2141+
return err
2142+
}
2143+
err = unwrapped
2144+
}
2145+
return nil
2146+
}

Diff for: cli/slsa-verifier/testdata/bcr/MODULE-wrong-signer.bazel

+34
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
"Bazel dependencies"
2+
3+
module(
4+
name = "aspect_rules_lint",
5+
version = "1.3.1",
6+
compatibility_level = 1,
7+
)
8+
9+
bazel_dep(name = "aspect_bazel_lib", version = "2.7.7")
10+
11+
# Needed in the root because we use js_lib_helpers in our aspect impl
12+
# Minimum version needs 'chore: bump bazel-lib to 2.0 by @alexeagle in #1311'
13+
# to allow users on bazel-lib 2.0
14+
bazel_dep(name = "aspect_rules_js", version = "1.40.0")
15+
bazel_dep(name = "bazel_features", version = "1.0.0")
16+
bazel_dep(name = "bazel_skylib", version = "1.4.2")
17+
bazel_dep(name = "platforms", version = "0.0.7")
18+
bazel_dep(name = "rules_multirun", version = "0.9.0")
19+
bazel_dep(name = "rules_multitool", version = "0.4.0")
20+
bazel_dep(name = "rules_diff", version = "1.0.0")
21+
22+
# Needed in the root because we dereference ProtoInfo in our aspect impl
23+
bazel_dep(name = "rules_proto", version = "6.0.0")
24+
25+
# Needed in the root because we dereference the toolchain in our aspect impl
26+
bazel_dep(name = "rules_buf", version = "0.1.1")
27+
bazel_dep(name = "toolchains_protoc", version = "0.2.1")
28+
29+
multitool = use_extension("@rules_multitool//multitool:extension.bzl", "multitool")
30+
multitool.hub(lockfile = "//format:multitool.lock.json")
31+
multitool.hub(lockfile = "//lint:multitool.lock.json")
32+
use_repo(multitool, "multitool")
33+
34+
bazel_dep(name = "stardoc", version = "0.7.0", dev_dependency = True, repo_name = "io_bazel_stardoc")

Diff for: cli/slsa-verifier/testdata/bcr/MODULE-wrong-signer.bazel.intoto.jsonl

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIIHEDCCBpagAwIBAgIURWOfSxuXPzVJEUYMqGSLmbg6RpMwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwMzMxMTgzOTI4WhcNMjUwMzMxMTg0OTI4WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOCxDx+2nw6V+7xh9entsHceuXRVU8YaKb+lhOGOmgpHksRuIpJQGad7mSjQuxTtHioli7VV8rccLtZHhmCBPS6OCBbUwggWxMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUv/8srKhGZWkYFCkJOTYsvXy4/qswHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wcgYDVR0RAQH/BGgwZoZkaHR0cHM6Ly9naXRodWIuY29tL2xvb3NlYmF6b29rYS9hYS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL21hbGljaW91c19hdHRlc3RhdGlvbi55YW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDliMDgwMGEyZTEzNmNiN2MzMjFiZmRmNDlmNzNkMDQyNWU1MDFjYzMwJQYKKwYBBAGDvzABBAQXR2VuZXJhdGUgUHJvdmVuYW5jZSBCWkwwIgYKKwYBBAGDvzABBQQUbG9vc2ViYXpvb2thL2FhLXRlc3QwHQYKKwYBBAGDvzABBgQPcmVmcy9oZWFkcy9tYWluMDsGCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTB0BgorBgEEAYO/MAEJBGYMZGh0dHBzOi8vZ2l0aHViLmNvbS9sb29zZWJhem9va2EvYWEtdGVzdC8uZ2l0aHViL3dvcmtmbG93cy9tYWxpY2lvdXNfYXR0ZXN0YXRpb24ueWFtbEByZWZzL2hlYWRzL21haW4wOAYKKwYBBAGDvzABCgQqDCg5YjA4MDBhMmUxMzZjYjdjMzIxYmZkZjQ5ZjczZDA0MjVlNTAxY2MzMB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDA3BgorBgEEAYO/MAEMBCkMJ2h0dHBzOi8vZ2l0aHViLmNvbS9sb29zZWJhem9va2EvYWEtdGVzdDA4BgorBgEEAYO/MAENBCoMKDliMDgwMGEyZTEzNmNiN2MzMjFiZmRmNDlmNzNkMDQyNWU1MDFjYzMwHwYKKwYBBAGDvzABDgQRDA9yZWZzL2hlYWRzL21haW4wGQYKKwYBBAGDvzABDwQLDAk4OTE3MTU0NDQwLwYKKwYBBAGDvzABEAQhDB9odHRwczovL2dpdGh1Yi5jb20vbG9vc2ViYXpvb2thMBcGCisGAQQBg78wAREECQwHMTMwNDgyNjB0BgorBgEEAYO/MAESBGYMZGh0dHBzOi8vZ2l0aHViLmNvbS9sb29zZWJhem9va2EvYWEtdGVzdC8uZ2l0aHViL3dvcmtmbG93cy9tYWxpY2lvdXNfYXR0ZXN0YXRpb24ueWFtbEByZWZzL2hlYWRzL21haW4wOAYKKwYBBAGDvzABEwQqDCg5YjA4MDBhMmUxMzZjYjdjMzIxYmZkZjQ5ZjczZDA0MjVlNTAxY2MzMCEGCisGAQQBg78wARQEEwwRd29ya2Zsb3dfZGlzcGF0Y2gwWwYKKwYBBAGDvzABFQRNDEtodHRwczovL2dpdGh1Yi5jb20vbG9vc2ViYXpvb2thL2FhLXRlc3QvYWN0aW9ucy9ydW5zLzE0MTc4ODgyMjQzL2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAZXtgGGXAAAEAwBHMEUCIQDqwWd8yF61K3dKLCB/i46M7ymBkahNINvmbpfCNlzW0AIgQZ60yZp5ZWstqPAa9dYVnX8oviLAsAXvdUAO5FC7NYQwCgYIKoZIzj0EAwMDaAAwZQIxALrB4Pjcq0KkvFgR73U1wd6QZDSp0Z/HANSbjuVB/83VH0XzYPlEtdt2wySEneKoQAIwHw3IJ7INdxLpxEGb3K4lbxInu/0+UpmMeY3+Fls3IttXbx+MPHB81w8mQB1eiCIG"}, "tlogEntries": [{"logIndex": "190354141", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "dsse", "version": "0.0.1"}, "integratedTime": "1743446368", "inclusionPromise": {"signedEntryTimestamp": "MEUCIAEOAUBnT7rKlB8CSMdlCCer21mW6rGKAAbcYkDXxTUFAiEAiPIrf+ka631N0ZXh/AsB8R+rvyQ/PlaBzRfZvgNx/Bs="}, "inclusionProof": {"logIndex": "68449879", "rootHash": "Pzd//dVRqtUdThKMd4kGVa3Y9t4iLeoptGi36NF+VY8=", "treeSize": "68449881", "hashes": ["50T/EJW6zqoHIx8xcGy07kZ190X2nYCtkdNc9PUJESE=", "0dz1YfaxxbPQu0S6bQpbADyB+4i3ydMq4IBJ5d7PQ3Y=", "IkDlJAEXqhTIjv7cSMV/ZLReP9f5u19dSoXvCJYcb3k=", "LMtk0ptAdReAMDIjz1ifH2dudYcgWxtnS3csDHxvVes=", "yg6V8cwhqpomzaPkSK6b0sX+044T3mjzhoBAklRfV4E=", "MjSCQgjB/+NuOxwENKDgqhmyXQ67h78KtnaR372Drdk=", "j9N8wWyxTLYX9xvh+PJPTpIhkTkic5Xlq2QJ3o3qte8=", "5js2YKrmc9qbDWDZUiVRfr0Ztm1V/Y1KosqGkclaNX4=", "hXQdjV/Umh9w/HAl2zupeNXPFMcozJ4uJWIlyyyYHhc=", "/ilV47LabPcRkc0f8Q663uyjZxM/ejxeWxAp1ohU/ho=", "eD1nICgVTOrXeYUCWqRbxMeltN4yWQq4Kg7gO/3vNCA=", "9cebns9CaJpF5CqTGgcX8M1/t+C1dWLXTFlVwmx2OTI=", "0h8nhcle5C9UpTvzBlAM62Top+G4DS282xnhunrGDFs=", "7v8qPHNDLerpduaMx06eb/MwgoQwczTn/cYGKX/9wZ4="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n68449881\nPzd//dVRqtUdThKMd4kGVa3Y9t4iLeoptGi36NF+VY8=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiARUbHw2zmjlI7RvDO6Pl79T8rHjyvyOJfmrUJA5AHgNgIgcaUU3d4+rAetQfcXyNRZYAgvQ1oXhrISK3iczotQy4Y=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiYzg5NjY2NWRhMGQ3OWJmN2FkM2M1NDJjODAxN2MzYTljNGJkYjdkMjYyZjQ3ZjE1MDBjY2ZiNmE0NjBiZTQzMCJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjlmNzI4NzkxNzdkNDUxYzg3ZDYzOTM5MTI2Y2IyMjA4MDM3OTE0NDk5NmY3NzU2NmM4OTk1NDZjM2Q5MTU1ZGEifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVVQ0lRREVhRlA0RW02ejFOeEp2dWdMazJrWFV2VHp6NHdocXpKc0VXNlBGZEV0eEFJZ0ttOUZuOW81RE5ZaDROQnY2U1E1cGs2Q0s4cHpHZHRxRGtPNTUrYTFZVlU9IiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VoRlJFTkRRbkJoWjBGM1NVSkJaMGxWVWxkUFpsTjRkVmhRZWxaS1JWVlpUWEZIVTB4dFltYzJVbkJOZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwVmQwMTZUWGhOVkdkNlQxUkpORmRvWTA1TmFsVjNUWHBOZUUxVVp6QlBWRWswVjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVlBRM2hFZUNzeWJuYzJWaXMzZUdnNVpXNTBjMGhqWlhWWVVsWlZPRmxoUzJJcmJHZ0tUMGRQYldkd1NHdHpVblZKY0VwUlIyRmtOMjFUYWxGMWVGUjBTR2x2YkdrM1ZsWTRjbU5qVEhSYVNHaHRRMEpRVXpaUFEwSmlWWGRuWjFkNFRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVjJMemh6Q25KTGFFZGFWMnRaUmtOclNrOVVXWE4yV0hrMEwzRnpkMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMk5uV1VSV1VqQlNRVkZJTDBKSFozZGFiMXByWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBUREo0ZG1JelRteFpiVVkyWWpJNWNncFpVemxvV1ZNeE1GcFlUakJNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIcE1NakZvWWtkc2FtRlhPVEZqTVRsb1pFaFNiR016VW1oa1IyeDJDbUpwTlRWWlZ6RnpVVWhLYkZwdVRYWmhSMVpvV2toTmRtSlhSbkJpYWtFMVFtZHZja0puUlVWQldVOHZUVUZGUWtKRGRHOWtTRkozWTNwdmRrd3pVbllLWVRKV2RVeHRSbXBrUjJ4MlltNU5kVm95YkRCaFNGWnBaRmhPYkdOdFRuWmlibEpzWW01UmRWa3lPWFJOUWpoSFEybHpSMEZSVVVKbk56aDNRVkZKUlFwRldHUjJZMjEwYldKSE9UTllNbEp3WXpOQ2FHUkhUbTlOUkZsSFEybHpSMEZSVVVKbk56aDNRVkZOUlV0RWJHbE5SR2QzVFVkRmVWcFVSWHBPYlU1cENrNHlUWHBOYWtacFdtMVNiVTVFYkcxT2VrNXJUVVJSZVU1WFZURk5SRVpxV1hwTmQwcFJXVXRMZDFsQ1FrRkhSSFo2UVVKQ1FWRllVakpXZFZwWVNtZ0taRWRWWjFWSVNuWmtiVloxV1ZjMWFscFRRa05YYTNkM1NXZFpTMHQzV1VKQ1FVZEVkbnBCUWtKUlVWVmlSemwyWXpKV2FWbFljSFppTW5Sb1RESkdhQXBNV0ZKc1l6TlJkMGhSV1V0TGQxbENRa0ZIUkhaNlFVSkNaMUZRWTIxV2JXTjVPVzlhVjBaclkzazVkRmxYYkhWTlJITkhRMmx6UjBGUlVVSm5OemgzQ2tGUlowVk1VWGR5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQmtSMmd4V1c1V2VscFlTbXBpTWpVd1dsYzFNRXh0VG5ZS1lsUkNNRUpuYjNKQ1owVkZRVmxQTDAxQlJVcENSMWxOV2tkb01HUklRbnBQYVRoMldqSnNNR0ZJVm1sTWJVNTJZbE01YzJJeU9YcGFWMHBvWlcwNWRncGhNa1YyV1ZkRmRHUkhWbnBrUXpoMVdqSnNNR0ZJVm1sTU0yUjJZMjEwYldKSE9UTmplVGwwV1ZkNGNGa3liSFprV0U1bVdWaFNNRnBZVGpCWldGSndDbUl5TkhWbFYwWjBZa1ZDZVZwWFducE1NbWhzV1ZkU2Vrd3lNV2hoVnpSM1QwRlpTMHQzV1VKQ1FVZEVkbnBCUWtOblVYRkVRMmMxV1dwQk5FMUVRbWdLVFcxVmVFMTZXbXBaYW1ScVRYcEplRmx0V210YWFsRTFXbXBqZWxwRVFUQk5hbFpzVGxSQmVGa3lUWHBOUWpCSFEybHpSMEZSVVVKbk56aDNRVkZ6UlFwRWQzZE9XakpzTUdGSVZtbE1WMmgyWXpOU2JGcEVRVE5DWjI5eVFtZEZSVUZaVHk5TlFVVk5Ra05yVFVveWFEQmtTRUo2VDJrNGRsb3liREJoU0ZacENreHRUblppVXpsellqSTVlbHBYU21obGJUbDJZVEpGZGxsWFJYUmtSMVo2WkVSQk5FSm5iM0pDWjBWRlFWbFBMMDFCUlU1Q1EyOU5TMFJzYVUxRVozY0tUVWRGZVZwVVJYcE9iVTVwVGpKTmVrMXFSbWxhYlZKdFRrUnNiVTU2VG10TlJGRjVUbGRWTVUxRVJtcFplazEzU0hkWlMwdDNXVUpDUVVkRWRucEJRZ3BFWjFGU1JFRTVlVnBYV25wTU1taHNXVmRTZWt3eU1XaGhWelIzUjFGWlMwdDNXVUpDUVVkRWRucEJRa1IzVVV4RVFXczBUMVJGTTAxVVZUQk9SRkYzQ2t4M1dVdExkMWxDUWtGSFJIWjZRVUpGUVZGb1JFSTViMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtSkhPWFpqTWxacFdWaHdkbUl5ZEdnS1RVSmpSME5wYzBkQlVWRkNaemM0ZDBGU1JVVkRVWGRJVFZSTmQwNUVaM2xPYWtJd1FtZHZja0puUlVWQldVOHZUVUZGVTBKSFdVMWFSMmd3WkVoQ2VncFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVjMkl5T1hwYVYwcG9aVzA1ZG1FeVJYWlpWMFYwWkVkV2VtUkRPSFZhTW13d1lVaFdhVXd6WkhaamJYUnRDbUpIT1ROamVUbDBXVmQ0Y0ZreWJIWmtXRTVtV1ZoU01GcFlUakJaV0ZKd1lqSTBkV1ZYUm5SaVJVSjVXbGRhZWt3eWFHeFpWMUo2VERJeGFHRlhOSGNLVDBGWlMwdDNXVUpDUVVkRWRucEJRa1YzVVhGRVEyYzFXV3BCTkUxRVFtaE5iVlY0VFhwYWFsbHFaR3BOZWtsNFdXMWFhMXBxVVRWYWFtTjZXa1JCTUFwTmFsWnNUbFJCZUZreVRYcE5RMFZIUTJselIwRlJVVUpuTnpoM1FWSlJSVVYzZDFKa01qbDVZVEphYzJJelpHWmFSMng2WTBkR01Ga3laM2RYZDFsTENrdDNXVUpDUVVkRWRucEJRa1pSVWs1RVJYUnZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMllrYzVkbU15Vm1sWldIQjJZakowYUV3eVJtZ0tURmhTYkdNelVYWlpWMDR3WVZjNWRXTjVPWGxrVnpWNlRIcEZNRTFVWXpSUFJHZDVUV3BSZWt3eVJqQmtSMVowWTBoU2VreDZSWGRHWjFsTFMzZFpRZ3BDUVVkRWRucEJRa1puVVVsRVFWcDNaRmRLYzJGWFRYZG5XVzlIUTJselIwRlJVVUl4Ym10RFFrRkpSV1pCVWpaQlNHZEJaR2RFWkZCVVFuRjRjMk5TQ2sxdFRWcElhSGxhV25walEyOXJjR1YxVGpRNGNtWXJTR2x1UzBGTWVXNTFhbWRCUVVGYVdIUm5SMGRZUVVGQlJVRjNRa2hOUlZWRFNWRkVjWGRYWkRnS2VVWTJNVXN6WkV0TVEwSXZhVFEyVFRkNWJVSnJZV2hPU1U1MmJXSndaa05PYkhwWE1FRkpaMUZhTmpCNVduQTFXbGR6ZEhGUVFXRTVaRmxXYmxnNGJ3cDJhVXhCYzBGWWRtUlZRVTgxUmtNM1RsbFJkME5uV1VsTGIxcEplbW93UlVGM1RVUmhRVUYzV2xGSmVFRk1ja0kwVUdwamNUQkxhM1pHWjFJM00xVXhDbmRrTmxGYVJGTndNRm92U0VGT1UySnFkVlpDTHpnelZrZ3dXSHBaVUd4RmRHUjBNbmQ1VTBWdVpVdHZVVUZKZDBoM00wbEtOMGxPWkhoTWNIaEZSMklLTTBzMGJHSjRTVzUxTHpBclZYQnRUV1ZaTXl0R2JITXpTWFIwV0dKNEswMVFTRUk0TVhjNGJWRkNNV1ZwUTBsSENpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9XX19"}], "timestampVerificationData": {}}, "dsseEnvelope": {"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiTU9EVUxFLmJhemVsIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjA2Y2UzMzA5MDBhN2Q2NDAzYmM4ZDg4ZTVkZmFkNmFlZWI4YWU0MDE3OWY2NmJiODllNjljOGJmNmY2YjFhMGIifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL2FjdGlvbnMuZ2l0aHViLmlvL2J1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9wdWJsaXNoLXRvLWJjciIsInJlcG9zaXRvcnkiOiJodHRwczovL2dpdGh1Yi5jb20vYXNwZWN0LWJ1aWxkL3J1bGVzX2xpbnQiLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWwifX0sImludGVybmFsUGFyYW1ldGVycyI6eyJnaXRodWIiOnsiZXZlbnRfbmFtZSI6IndvcmtmbG93X2Rpc3BhdGNoIiwicmVwb3NpdG9yeV9pZCI6IjYzMTcxMDc0MSIsInJlcG9zaXRvcnlfb3duZXJfaWQiOiI2MDk1MTA5MCIsInJ1bm5lcl9lbnZpcm9ubWVudCI6ImdpdGh1Yi1ob3N0ZWQifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2FzcGVjdC1idWlsZC9ydWxlc19saW50QHJlZnMvaGVhZHMvcHVibGlzaC10by1iY3IiLCJkaWdlc3QiOnsiZ2l0Q29tbWl0IjoiOGY3MDAwOWZkZTBjOTRhZGU2Y2UyYTA1NGI5NDcxOGM4MTkxMjZlYyJ9fV19LCJydW5EZXRhaWxzIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vYmF6ZWwtY29udHJpYi9wdWJsaXNoLXRvLWJjci8uZ2l0aHViL3dvcmtmbG93cy9wdWJsaXNoLnlhbWxAcmVmcy90YWdzL3YwLjAuMSJ9LCJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSWQiOiJodHRwczovL2dpdGh1Yi5jb20vYXNwZWN0LWJ1aWxkL3J1bGVzX2xpbnQvYWN0aW9ucy9ydW5zLzE0MDk1NjExNjcxL2F0dGVtcHRzLzEifX19fQ==", "payloadType": "application/vnd.in-toto+json", "signatures": [{"sig": "MEUCIQDEaFP4Em6z1NxJvugLk2kXUvTzz4whqzJsEW6PFdEtxAIgKm9Fn9o5DNYh4NBv6SQ5pk6CK8pzGdtqDkO55+a1YVU="}]}}

Diff for: cli/slsa-verifier/testdata/bcr/MODULE.bazel

+34
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
"Bazel dependencies"
2+
3+
module(
4+
name = "aspect_rules_lint",
5+
version = "1.3.1",
6+
compatibility_level = 1,
7+
)
8+
9+
bazel_dep(name = "aspect_bazel_lib", version = "2.7.7")
10+
11+
# Needed in the root because we use js_lib_helpers in our aspect impl
12+
# Minimum version needs 'chore: bump bazel-lib to 2.0 by @alexeagle in #1311'
13+
# to allow users on bazel-lib 2.0
14+
bazel_dep(name = "aspect_rules_js", version = "1.40.0")
15+
bazel_dep(name = "bazel_features", version = "1.0.0")
16+
bazel_dep(name = "bazel_skylib", version = "1.4.2")
17+
bazel_dep(name = "platforms", version = "0.0.7")
18+
bazel_dep(name = "rules_multirun", version = "0.9.0")
19+
bazel_dep(name = "rules_multitool", version = "0.4.0")
20+
bazel_dep(name = "rules_diff", version = "1.0.0")
21+
22+
# Needed in the root because we dereference ProtoInfo in our aspect impl
23+
bazel_dep(name = "rules_proto", version = "6.0.0")
24+
25+
# Needed in the root because we dereference the toolchain in our aspect impl
26+
bazel_dep(name = "rules_buf", version = "0.1.1")
27+
bazel_dep(name = "toolchains_protoc", version = "0.2.1")
28+
29+
multitool = use_extension("@rules_multitool//multitool:extension.bzl", "multitool")
30+
multitool.hub(lockfile = "//format:multitool.lock.json")
31+
multitool.hub(lockfile = "//lint:multitool.lock.json")
32+
use_repo(multitool, "multitool")
33+
34+
bazel_dep(name = "stardoc", version = "0.7.0", dev_dependency = True, repo_name = "io_bazel_stardoc")

0 commit comments

Comments
 (0)