Merge branch 'main' into neil/refactor-search

in-toto · Nov 16, 2023 · 349c42f · 349c42f
2 parents 904fe4b + 40c7ed5
commit 349c42f
Show file tree

Hide file tree

Showing 13 changed files with 196 additions and 97 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,28 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+    ignore:
+      - dependency-name: "*"
+        update-types:
+        - "version-update:semver-major"
+        - "version-update:semver-minor"
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -29,8 +29,8 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
       - name: golangci-lint

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,49 +18,30 @@ permissions:
 name: release
 on: [push, pull_request]
 jobs:
-  test:
-    strategy:
-      matrix:
-        go-version: [ 1.19.x ]
-        os: [ ubuntu-latest ]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ matrix.go-version }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - uses: actions/cache@v2
-        with:
-         path: |
-           ~/go/pkg/mod
-           ~/.cache/go-build
-         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-         restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Format Unix
-        run: test -z $(go fmt ./...)
-      - name: Install GoKart
-        run: go install github.com/praetorian-inc/gokart@latest
+  fmt:
+    uses: ./.github/workflows/witness.yml
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: fmt
+      attestations: "git github environment"
+      command: go fmt ./...
 
-      - name: Static Analysis
-        uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
-        with:
-          step: static-analysis
-          attestations: "github sarif"
-          command: gokart scan . -o sarif-results.json -s
+  sast:
+    needs: [fmt]
+    uses: ./.github/workflows/witness.yml
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: sast
+      attestations: "git github environment"
+      command: go vet ./...
 
-      - name: Test
-        uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
-        with: 
-          step: "test"
-          attestations: "github"
-          command: go test -v -coverprofile=profile.cov -covermode=atomic ./...
-
-      - name: Send coverage
-        env:
-          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          GO111MODULE=off go get github.com/mattn/goveralls
-          $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+  unit-test:
+    needs: [fmt]
+    uses: ./.github/workflows/witness.yml
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: unit-test
+      attestations: "git github environment"
+      command: go test -v -coverprofile=profile.cov -covermode=atomic ./...
+      artifact-upload-name: profile.cov
+      artifact-upload-path: profile.cov
diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml
@@ -23,8 +23,8 @@ jobs:
       name: license boilerplate check
       runs-on: ubuntu-latest
       steps:
-        - uses: actions/checkout@v2
-        - uses: actions/setup-go@v2
+        - uses: actions/checkout@v4
+        - uses: actions/setup-go@v4
           with:
             go-version: '1.17.x'
         - name: Install addlicense

diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
@@ -0,0 +1,80 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+on:
+    workflow_call:
+        inputs:
+            pull_request: 
+                required: true
+                type: boolean
+            artifact-download:
+                required: false
+                type: string
+            artifact-upload-name:
+                required: false
+                type: string
+            artifact-upload-path:
+                required: false
+                type: string
+            pre-command:
+                required: false
+                type: string
+            command:
+                required: true
+                type: string
+            step:
+                required: true
+                type: string
+            attestations:
+                required: true
+                type: string
+
+jobs:
+    witness:
+        runs-on: ubuntu-latest
+        steps:
+          - uses: actions/checkout@v4
+          - uses: actions/setup-go@v4
+            with:
+              go-version: 1.21.x
+
+          - if: ${{ inputs.artifact-download != '' }}
+            uses: actions/download-artifact@v3
+            with:
+              name: ${{ inputs.artifact-download }}
+              path: /tmp
+
+          - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
+            uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
+            with:
+              step: pre-${{ inputs.step }}
+              attestations: ${{ inputs.attestations }}
+              command: /bin/sh -c "${{ inputs.pre-command }}"
+          - if: ${{ inputs.pre-command != '' && inputs.pull_request == true }}
+            run: ${{ inputs.pre-command }}
+
+          - if: ${{ inputs.pull_request == false }}
+            uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
+            with:
+              step: ${{ inputs.step }}
+              attestations: ${{ inputs.attestations }}
+              command: /bin/sh -c "${{ inputs.command }}"
+          - if: ${{ inputs.pull_request == true }}
+            run: ${{ inputs.command }}
+
+          - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
+            uses: actions/upload-artifact@v3
+            with:
+              name: ${{ inputs.artifact-upload-name }}
+              path: ${{ inputs.artifact-upload-path }}
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -0,0 +1,8 @@
+# Maintainers
+
+| Name                       | GitHub          |
+|----------------------------|-----------------|
+| Cole Kennedy (TestifySec)      | [@colek42](https://github.com/colek42) |
+| John Kjell (TestifySec)     | [@jkjell](https://github.com/jkjell) |
+| Mikhail Swift (TestifySec) | [@mikhailswift](https://github.com/mikhailswift) |
+| Aditya Sirish (NYU)       | [@adityasaky](https://github.com/adityasaky) |
diff --git a/attestation/material/material.go b/attestation/material/material.go
@@ -47,15 +47,15 @@ type Attestor struct {
 	materials map[string]cryptoutil.DigestSet
 }
 
-func (a Attestor) Name() string {
+func (a *Attestor) Name() string {
 	return Name
 }
 
-func (a Attestor) Type() string {
+func (a *Attestor) Type() string {
 	return Type
 }
 
-func (rc *Attestor) RunType() attestation.RunType {
+func (a *Attestor) RunType() attestation.RunType {
 	return RunType
 }
 

diff --git a/attestation/product/product.go b/attestation/product/product.go
@@ -125,15 +125,15 @@ func fromDigestMap(digestMap map[string]cryptoutil.DigestSet) map[string]attesta
 	return products
 }
 
-func (a Attestor) Name() string {
+func (a *Attestor) Name() string {
 	return Name
 }
 
-func (a Attestor) Type() string {
+func (a *Attestor) Type() string {
 	return Type
 }
 
-func (rc *Attestor) RunType() attestation.RunType {
+func (a *Attestor) RunType() attestation.RunType {
 	return RunType
 }
 

diff --git a/attestation/product/product_test.go b/attestation/product/product_test.go
@@ -36,7 +36,8 @@ func TestFromDigestMap(t *testing.T) {
 	testDigestSet["test"] = testDigest
 	result := fromDigestMap(testDigestSet)
 	assert.Len(t, result, 1)
-	assert.True(t, result["test"].Digest.Equal(testDigest))
+	digest := result["test"].Digest
+	assert.True(t, digest.Equal(testDigest))
 }
 
 func TestAttestorName(t *testing.T) {

diff --git a/cryptoutil/digestset.go b/cryptoutil/digestset.go
@@ -96,9 +96,9 @@ func HashFromString(name string) (crypto.Hash, error) {
 // Equal returns true if every digest for hash functions both artifacts have in common are equal.
 // If the two artifacts don't have any digests from common hash functions, equal will return false.
 // If any digest from common hash functions differ between the two artifacts, equal will return false.
-func (first DigestSet) Equal(second DigestSet) bool {
+func (ds *DigestSet) Equal(second DigestSet) bool {
 	hasMatchingDigest := false
-	for hash, digest := range first {
+	for hash, digest := range *ds {
 		otherDigest, ok := second[hash]
 		if !ok {
 			continue
@@ -114,9 +114,9 @@ func (first DigestSet) Equal(second DigestSet) bool {
 	return hasMatchingDigest
 }
 
-func (ds DigestSet) ToNameMap() (map[string]string, error) {
+func (ds *DigestSet) ToNameMap() (map[string]string, error) {
 	nameMap := make(map[string]string)
-	for hash, digest := range ds {
+	for hash, digest := range *ds {
 		name, ok := hashNames[hash]
 		if !ok {
 			return nameMap, ErrUnsupportedHash(hash.String())

diff --git a/go.mod b/go.mod
@@ -11,14 +11,14 @@ require (
 	github.com/mattn/go-isatty v0.0.17
 	github.com/open-policy-agent/opa v0.49.1
 	github.com/owenrumney/go-sarif v1.1.1
-	github.com/spiffe/go-spiffe/v2 v2.1.2
-	github.com/stretchr/testify v1.8.1
+	github.com/spiffe/go-spiffe/v2 v2.1.6
+	github.com/stretchr/testify v1.8.2
 	github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76
-	go.step.sm/crypto v0.25.0
+	go.step.sm/crypto v0.25.2
 	golang.org/x/sys v0.13.0
-	google.golang.org/grpc v1.53.0
+	google.golang.org/grpc v1.56.3
 	gopkg.in/square/go-jose.v2 v2.6.0
-	k8s.io/apimachinery v0.26.1
+	k8s.io/apimachinery v0.26.10
 )
 
 require (
@@ -51,7 +51,7 @@ require (
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/zclconf/go-cty v1.12.1 // indirect
 	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/oauth2 v0.5.0 // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -66,21 +66,21 @@ require (
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
-	github.com/aws/aws-sdk-go v1.44.207
+	github.com/aws/aws-sdk-go v1.44.334
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.4.1 // indirect
 	github.com/gobwas/glob v0.2.3
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/sigstore/fulcio v1.1.0
-	github.com/sigstore/sigstore v1.5.1
+	github.com/sigstore/sigstore v1.5.2
 	github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
@@ -91,8 +91,8 @@ require (
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
-	google.golang.org/genproto v0.0.0-20230222225845-10f96fb3dbec // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect