const (
// PredicateSLSAProvenance represents a build provenance for an artifact.
PredicateSLSAProvenance = "https://slsa.dev/provenance/v1"
)
type BuildMetadata struct {
// Identifies this particular build invocation, which can be useful for
// finding associated logs or other ad-hoc analysis. The exact meaning and
// format is defined by builder.id; by default it is treated as opaque and
// case-sensitive. The value SHOULD be globally unique.
InvocationID string `json:"invocationID,omitempty"`
// The timestamp of when the build started.
StartedOn *time.Time `json:"startedOn,omitempty"`
// The timestamp of when the build completed.
FinishedOn *time.Time `json:"finishedOn,omitempty"`
}
Builder represents the transitive closure of all the entities that are, by necessity, trusted to faithfully run the build and record the provenance.
type Builder struct {
// URI indicating the transitive closure of the trusted builder.
ID string `json:"id"`
// Version numbers of components of the builder.
Version map[string]string `json:"version,omitempty"`
// Dependencies used by the orchestrator that are not run within the
// workload and that do not affect the build, but might affect the
// provenance generation or security guarantees.
BuilderDependencies []ResourceDescriptor `json:"builderDependencies,omitempty"`
}
ProvenanceBuildDefinition describes the inputs to the build.
type ProvenanceBuildDefinition struct {
// The URI SHOULD resolve to a human-readable specification that includes:
// overall description of the build type; schema for externalParameters and
// systemParameters; unambiguous instructions for how to initiate the build
// given this BuildDefinition, and a complete example.
BuildType string `json:"buildType"`
// The build system SHOULD be designed to minimize the size and complexity
// of externalParameters, in order to reduce fragility and ease
// verification. Consumers SHOULD have an expectation of what “good” looks
// like; the more information that they need to check, the harder that task
// becomes.
ExternalParameters interface{} `json:"externalParameters"`
// The parameters that are under the control of the entity represented by
// builder.id. The primary intention of this field is for debugging,
// incident response, and vulnerability management. The values here MAY be
// necessary for reproducing the build. There is no need to verify these
// parameters because the build system is already trusted, and in many cases
// it is not practical to do so.
InternalParameters interface{} `json:"internalParameters,omitempty"`
// Unordered collection of artifacts needed at build time. Completeness is
// best effort, at least through SLSA Build L3. For example, if the build
// script fetches and executes “example.com/foo.sh”, which in turn fetches
// “example.com/bar.tar.gz”, then both “foo.sh” and “bar.tar.gz” SHOULD be
// listed here.
ResolvedDependencies []ResourceDescriptor `json:"resolvedDependencies,omitempty"`
}
ProvenancePredicate is the provenance predicate definition.
type ProvenancePredicate struct {
// The BuildDefinition describes all of the inputs to the build. The
// accuracy and completeness are implied by runDetails.builder.id.
//
// It SHOULD contain all the information necessary and sufficient to
// initialize the build and begin execution.
BuildDefinition ProvenanceBuildDefinition `json:"buildDefinition"`
// Details specific to this particular execution of the build.
RunDetails ProvenanceRunDetails `json:"runDetails"`
}
ProvenanceRunDetails includes details specific to a particular execution of a build.
type ProvenanceRunDetails struct {
// Identifies the entity that executed the invocation, which is trusted to
// have correctly performed the operation and populated this provenance.
//
// This field is REQUIRED for SLSA Build 1 unless id is implicit from the
// attestation envelope.
Builder Builder `json:"builder"`
// Metadata about this particular execution of the build.
BuildMetadata BuildMetadata `json:"metadata,omitempty"`
// Additional artifacts generated during the build that are not considered
// the “output” of the build but that might be needed during debugging or
// incident response. For example, this might reference logs generated
// during the build and/or a digest of the fully evaluated build
// configuration.
//
// In most cases, this SHOULD NOT contain all intermediate files generated
// during the build. Instead, this SHOULD only contain files that are
// likely to be useful later and that cannot be easily reproduced.
Byproducts []ResourceDescriptor `json:"byproducts,omitempty"`
}
ResourceDescriptor describes a particular software artifact or resource (mutable or immutable). See https://github.com/in-toto/attestation/blob/main/spec/v1.0/resource_descriptor.md
type ResourceDescriptor struct {
// A URI used to identify the resource or artifact globally. This field is
// REQUIRED unless either digest or content is set.
URI string `json:"uri,omitempty"`
// A set of cryptographic digests of the contents of the resource or
// artifact. This field is REQUIRED unless either uri or content is set.
Digest common.DigestSet `json:"digest,omitempty"`
// TMachine-readable identifier for distinguishing between descriptors.
Name string `json:"name,omitempty"`
// The location of the described resource or artifact, if different from the
// uri.
DownloadLocation string `json:"downloadLocation,omitempty"`
// The MIME Type (i.e., media type) of the described resource or artifact.
MediaType string `json:"mediaType,omitempty"`
// The contents of the resource or artifact. This field is REQUIRED unless
// either uri or digest is set.
Content []byte `json:"content,omitempty"`
// This field MAY be used to provide additional information or metadata
// about the resource or artifact that may be useful to the consumer when
// evaluating the attestation against a policy.
Annotations map[string]interface{} `json:"annotations,omitempty"`
}