Working Dir support for SBOM attestor (#274)

* Additional testing for SBOM attestor and better support for setting working-dir * Add subjecter to SBOM attestor * Require an exporter to also be a subjecter --------- Signed-off-by: John Kjell <[email protected]>
in-toto · Jun 13, 2024 · 5ce590f · 5ce590f
1 parent 62e34c9
commit 5ce590f
Show file tree

Hide file tree

Showing 10 changed files with 91 additions and 8,386 deletions.
diff --git a/attestation/factory.go b/attestation/factory.go
@@ -61,6 +61,7 @@ type Producer interface {
 // Exporter allows attestors to export their attestations for separation from the collection.
 type Exporter interface {
 	Export() bool
+	Subjects() map[string]cryptoutil.DigestSet
 }
 
 // BackReffer allows attestors to indicate which of their subjects are good candidates

diff --git a/attestation/product/product.go b/attestation/product/product.go
@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"path/filepath"
 
 	"github.com/gabriel-vasile/mimetype"
 	"github.com/gobwas/glob"
@@ -118,7 +119,7 @@ type Attestor struct {
 func fromDigestMap(workingDir string, digestMap map[string]cryptoutil.DigestSet) map[string]attestation.Product {
 	products := make(map[string]attestation.Product)
 	for fileName, digestSet := range digestMap {
-		filePath := workingDir + fileName
+		filePath := filepath.Join(workingDir, fileName)
 		mimeType, err := getFileContentType(filePath)
 		if err != nil {
 			mimeType = "unknown"
@@ -227,12 +228,12 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
 func getFileContentType(fileName string) (string, error) {
 	// Add SPDX JSON detector
 	mimetype.Lookup("application/json").Extend(func(buf []byte, limit uint32) bool {
-		return bytes.HasPrefix(buf, []byte(`{"spdxVersion": "SPDX-`))
+		return bytes.HasPrefix(buf, []byte(`{"spdxVersion":"SPDX-`))
 	}, "application/spdx+json", ".spdx.json")
 
 	// Add CycloneDx JSON detector
 	mimetype.Lookup("application/json").Extend(func(buf []byte, limit uint32) bool {
-		return bytes.HasPrefix(buf, []byte(`{"$schema": "http://cyclonedx.org/schema/bom-`))
+		return bytes.HasPrefix(buf, []byte(`{"$schema":"http://cyclonedx.org/schema/bom-`))
 	}, "application/vnd.cyclonedx+json", ".cdx.json")
 
 	// Add CycloneDx XML detector

diff --git a/attestation/sbom/boms/README.md b/attestation/sbom/boms/README.md
@@ -0,0 +1,15 @@
+# Generating Test SBOM
+
+## Commands Used
+
+These are the commands used to generate the SBOMs comitted:
+
+`syft scan alpine:latest -o spdx > spdx-2.3/alpine.spdx-2-3.json`
+
+`syft scan alpine:latest -o [email protected] > spdx-2.2/alpine.spdx-2-2.json`
+
+`syft scan alpine:latest -o cyclonedx-json > cyclonedx-json/alpine.cyclonedx.json`
+
+`syft scan alpine:latest -o cyclonedx > alpine.cyclonedx.xml`
+
+For the `bad.json` modified any of the above json SBOMs to be malformed (just remove a few characters from the end). The modification needs to be after the first 512 bytes of the file due to the method used for mime-type detection.
diff --git a/attestation/sbom/boms/bad-json/bad.json b/attestation/sbom/boms/bad-json/bad.json