feat(controlplane): expose has_policy_violations through referrer API (#1708)

migmartri · web-flow · commit 3e83aa40a5da · 2025-01-08T09:37:17.000+01:00
Signed-off-by: Miguel Martinez &lt;miguel@chainloop.dev&gt;
diff --git a/app/controlplane/pkg/biz/referrer.go b/app/controlplane/pkg/biz/referrer.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -280,12 +280,15 @@ func extractReferrers(att *dsse.Envelope, repo ReferrerRepo) ([]*Referrer, error
 	attestationReferrer.Annotations = predicate.GetAnnotations()
 	attestationReferrer.Metadata = map[string]string{
 		// workflow name, team and project
-		"name":            predicate.GetMetadata().Name,
-		"team":            predicate.GetMetadata().Team,
-		"project":         predicate.GetMetadata().Project,
-		"organization":    predicate.GetMetadata().Organization,
-		"contractName":    predicate.GetMetadata().ContractName,
-		"contractVersion": predicate.GetMetadata().ContractVersion,
+		"name":                     predicate.GetMetadata().Name,
+		"team":                     predicate.GetMetadata().Team,
+		"project":                  predicate.GetMetadata().Project,
+		"hasPolicyViolations":      fmt.Sprintf("%t", predicate.HasPolicyViolations()),
+		"projectVersion":           predicate.GetMetadata().ProjectVersion,
+		"projectVersionPrerelease": fmt.Sprintf("%t", predicate.GetMetadata().ProjectVersionPrerelease),
+		"organization":             predicate.GetMetadata().Organization,
+		"contractName":             predicate.GetMetadata().ContractName,
+		"contractVersion":          predicate.GetMetadata().ContractVersion,
 	}
 
 	// Create new referrers for each material
diff --git a/app/controlplane/pkg/biz/referrer_integration_test.go b/app/controlplane/pkg/biz/referrer_integration_test.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -49,12 +49,12 @@ func (s *referrerIntegrationTestSuite) TestGetFromRootInPublicSharedIndex() {
 
 	// We'll store the attestation in the private only index
 	ctx := context.Background()
-	s.T().Run("public endpoint fails if feature not enabled", func(t *testing.T) {
+	s.Run("public endpoint fails if feature not enabled", func() {
 		_, err := s.Referrer.GetFromRootInPublicSharedIndex(ctx, wantReferrerAtt.Digest, "")
 		s.ErrorContains(err, "not enabled")
 	})
 
-	s.T().Run("storing it associated with a private workflow keeps it private and not in the index", func(t *testing.T) {
+	s.Run("storing it associated with a private workflow keeps it private and not in the index", func() {
 		err = s.sharedEnabledUC.ExtractAndPersist(ctx, envelope, s.workflow1.ID.String())
 		require.NoError(s.T(), err)
 		ref, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID)
@@ -243,11 +243,15 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() {
 		s.Equal(wantReferrerAtt.Kind, got.Kind)
 		// It has metadata
 		s.Equal(map[string]string{
-			"contractName": "", "contractVersion": "",
-			"name":         "test-new-types",
-			"project":      "test",
-			"team":         "my-team",
-			"organization": "my-org",
+			"contractName":             "",
+			"contractVersion":          "",
+			"name":                     "test-new-types",
+			"project":                  "test",
+			"team":                     "my-team",
+			"organization":             "my-org",
+			"hasPolicyViolations":      "false",
+			"projectVersion":           "",
+			"projectVersionPrerelease": "false",
 		}, got.Metadata)
 		// it has all the references
 		require.Len(t, got.References, 6)
diff --git a/app/controlplane/pkg/biz/referrer_test.go b/app/controlplane/pkg/biz/referrer_test.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -109,12 +109,15 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 					Kind:         "ATTESTATION",
 					Downloadable: true,
 					Metadata: map[string]string{
-						"contractName":    "",
-						"contractVersion": "",
-						"name":            "only-sbom",
-						"organization":    "",
-						"team":            "",
-						"project":         "foo",
+						"contractName":             "",
+						"contractVersion":          "",
+						"name":                     "only-sbom",
+						"organization":             "",
+						"team":                     "",
+						"project":                  "foo",
+						"projectVersion":           "",
+						"projectVersionPrerelease": "false",
+						"hasPolicyViolations":      "false",
 					},
 					Annotations: map[string]string{
 						"branch":   "stable",
@@ -160,12 +163,15 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 						},
 					},
 					Metadata: map[string]string{
-						"contractName":    "",
-						"contractVersion": "",
-						"name":            "test",
-						"organization":    "",
-						"team":            "",
-						"project":         "bar",
+						"contractName":             "",
+						"contractVersion":          "",
+						"name":                     "test",
+						"organization":             "",
+						"team":                     "",
+						"project":                  "bar",
+						"projectVersion":           "",
+						"projectVersionPrerelease": "false",
+						"hasPolicyViolations":      "false",
 					},
 					Annotations: map[string]string{
 						"version": "oss",
@@ -193,12 +199,15 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 					Kind:         "ATTESTATION",
 					Downloadable: true,
 					Metadata: map[string]string{
-						"contractName":    "",
-						"contractVersion": "",
-						"name":            "only-sbom",
-						"organization":    "",
-						"team":            "",
-						"project":         "foo",
+						"contractName":             "",
+						"contractVersion":          "",
+						"name":                     "only-sbom",
+						"organization":             "",
+						"team":                     "",
+						"project":                  "foo",
+						"projectVersion":           "",
+						"projectVersionPrerelease": "false",
+						"hasPolicyViolations":      "false",
 					},
 					Annotations: map[string]string{
 						"branch":   "stable",
@@ -254,12 +263,15 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 					Kind:         "ATTESTATION",
 					Downloadable: true,
 					Metadata: map[string]string{
-						"contractName":    "",
-						"contractVersion": "",
-						"name":            "test-new-types",
-						"organization":    "my-org",
-						"team":            "my-team",
-						"project":         "test",
+						"contractName":             "",
+						"contractVersion":          "",
+						"name":                     "test-new-types",
+						"organization":             "my-org",
+						"team":                     "my-team",
+						"project":                  "test",
+						"projectVersion":           "",
+						"projectVersionPrerelease": "false",
+						"hasPolicyViolations":      "false",
 					},
 					References: []*Referrer{
 						{
diff --git a/pkg/attestation/renderer/chainloop/chainloop.go b/pkg/attestation/renderer/chainloop/chainloop.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -42,6 +42,7 @@ type NormalizablePredicate interface {
 	GetRunLink() string
 	GetMetadata() *Metadata
 	GetPolicyEvaluations() map[string][]*PolicyEvaluation
+	HasPolicyViolations() bool
 }
 
 type NormalizedMaterial struct {
@@ -77,16 +78,18 @@ type ProvenancePredicateCommon struct {
 }
 
 type Metadata struct {
-	Name            string     `json:"name"`
-	Project         string     `json:"project"`
-	Team            string     `json:"team"`
-	InitializedAt   *time.Time `json:"initializedAt"`
-	FinishedAt      *time.Time `json:"finishedAt"`
-	WorkflowRunID   string     `json:"workflowRunID"`
-	WorkflowID      string     `json:"workflowID"`
-	Organization    string     `json:"organization"`
-	ContractName    string     `json:"contractName"`
-	ContractVersion string     `json:"contractVersion"`
+	Name                     string     `json:"name"`
+	Project                  string     `json:"project"`
+	ProjectVersion           string     `json:"projectVersion"`
+	ProjectVersionPrerelease bool       `json:"projectVersionPrerelease"`
+	Team                     string     `json:"team"`
+	InitializedAt            *time.Time `json:"initializedAt"`
+	FinishedAt               *time.Time `json:"finishedAt"`
+	WorkflowRunID            string     `json:"workflowRunID"`
+	WorkflowID               string     `json:"workflowID"`
+	Organization             string     `json:"organization"`
+	ContractName             string     `json:"contractName"`
+	ContractVersion          string     `json:"contractVersion"`
 }
 
 type Maintainer struct {
@@ -126,16 +129,18 @@ func getChainloopMeta(att *v1.Attestation) *Metadata {
 	wfMeta := att.GetWorkflow()
 
 	return &Metadata{
-		InitializedAt:   &initializedAt,
-		FinishedAt:      &finishedAt,
-		Name:            wfMeta.GetName(),
-		Team:            wfMeta.GetTeam(),
-		Project:         wfMeta.GetProject(),
-		WorkflowRunID:   wfMeta.GetWorkflowRunId(),
-		WorkflowID:      wfMeta.GetWorkflowId(),
-		Organization:    wfMeta.GetOrganization(),
-		ContractName:    wfMeta.GetContractName(),
-		ContractVersion: wfMeta.GetSchemaRevision(),
+		InitializedAt:            &initializedAt,
+		FinishedAt:               &finishedAt,
+		Name:                     wfMeta.GetName(),
+		Team:                     wfMeta.GetTeam(),
+		Project:                  wfMeta.GetProject(),
+		WorkflowRunID:            wfMeta.GetWorkflowRunId(),
+		WorkflowID:               wfMeta.GetWorkflowId(),
+		Organization:             wfMeta.GetOrganization(),
+		ContractName:             wfMeta.GetContractName(),
+		ContractVersion:          wfMeta.GetSchemaRevision(),
+		ProjectVersion:           wfMeta.GetVersion().GetVersion(),
+		ProjectVersionPrerelease: wfMeta.GetVersion().GetPrerelease(),
 	}
 }
 
diff --git a/pkg/attestation/renderer/chainloop/testdata/attestation.output-2.v0.2.json b/pkg/attestation/renderer/chainloop/testdata/attestation.output-2.v0.2.json
@@ -111,6 +111,8 @@
       "name": "test-new-types",
       "organization": "my-org",
       "project": "test",
+      "projectVersion": "",
+      "projectVersionPrerelease": false,
       "team": "",
       "workflowID": "ab98be70-041b-4a82-97f3-daa56f61262b",
       "workflowRunID": "f97a0680-e64b-478a-9eea-df8864fa27f8"
diff --git a/pkg/attestation/renderer/chainloop/testdata/attestation.output.v0.2.json b/pkg/attestation/renderer/chainloop/testdata/attestation.output.v0.2.json
@@ -2,9 +2,9 @@
   "type": "https://in-toto.io/Statement/v1",
   "subject": [
     {
-      "name": "chainloop.workflow.foo",
+      "name": "chainloop.workflow.skipped",
       "digest": {
-        "sha256": "163c004d6210ba71f5b3e8c53f3e026ce245dbe3ddffc68e5bb1fe1f7e76d4c7"
+        "sha256": "9a2d6343065c60508002a90468b98bd05bb63a40e8b9aefe2a712dbdf946e828"
       }
     },
     {
@@ -66,19 +66,55 @@
       }
     ],
     "metadata": {
-      "contractName": "",
+      "contractName": "chainloop-skipped",
       "contractVersion": "1",
       "finishedAt": "2023-05-03T17:25:12.743426076Z",
       "initializedAt": "2023-05-03T17:22:12.743426076Z",
-      "name": "foo",
-      "organization": "",
-      "project": "bar",
+      "name": "skipped",
+      "organization": "foobar",
+      "project": "chainloop",
+      "projectVersion": "v0.150.0",
+      "projectVersionPrerelease": true,
       "team": "",
-      "workflowID": "54ea7c5c-7592-48ac-9a9f-084b72447184",
-      "workflowRunID": ""
+      "workflowID": "94208094-b8d3-4b38-b1f1-c609c47c49ea",
+      "workflowRunID": "e4cec971-6f4f-442a-8de0-d12ddc4667f2"
     },
     "policy_block_on_violation": false,
-    "policy_has_violations": false,
+    "policy_evaluations": {
+      "sbom": [
+        {
+          "annotations": {
+            "category": "sbom"
+          },
+          "description": "Checks that the SBOM is not older than a specified threshold. Supports CycloneDX.\n",
+          "material_name": "sbom",
+          "name": "sbom-freshness",
+          "policy_reference": {
+            "annotations": {
+              "name": "sbom-freshness",
+              "organization": ""
+            },
+            "digest": {
+              "sha256": "e9b750847ba8a5439a0a43963d22cb5c5a9568de5fdcd2db21d9615c76870c2a"
+            },
+            "name": "sbom-freshness",
+            "uri": "file://policy-sbom-freshness.yaml"
+          },
+          "skipped": false,
+          "type": "SBOM_CYCLONEDX_JSON",
+          "violations": [
+            {
+              "message": "SBOM created at: 2020-08-02T21:27:04Z which is too old (freshness limit set to 5 days)",
+              "subject": "sbom-freshness"
+            }
+          ],
+          "with": {
+            "limit": "5"
+          }
+        }
+      ]
+    },
+    "policy_has_violations": true,
     "runnerType": "GITHUB_ACTION"
   }
 }
diff --git a/pkg/attestation/renderer/chainloop/testdata/attestation.source.json b/pkg/attestation/renderer/chainloop/testdata/attestation.source.json
@@ -25,9 +25,7 @@
         "name": "skynet-sbom"
       }
     ],
-    "envAllowList": [
-      "CUSTOM_VAR"
-    ],
+    "envAllowList": ["CUSTOM_VAR"],
     "runner": {
       "type": "GITHUB_ACTION"
     }
@@ -36,11 +34,46 @@
     "initializedAt": "2023-05-03T17:22:12.743426076Z",
     "finishedAt": "2023-05-03T17:25:12.743426076Z",
     "workflow": {
-      "name": "foo",
-      "project": "bar",
-      "workflowId": "54ea7c5c-7592-48ac-9a9f-084b72447184",
-      "schemaRevision": "1"
+      "name": "skipped",
+      "project": "chainloop",
+      "version": {
+        "version": "v0.150.0",
+        "prerelease": true
+      },
+      "workflowId": "94208094-b8d3-4b38-b1f1-c609c47c49ea",
+      "workflowRunId": "e4cec971-6f4f-442a-8de0-d12ddc4667f2",
+      "schemaRevision": "1",
+      "contractName": "chainloop-skipped",
+      "organization": "foobar"
     },
+    "policyEvaluations": [
+      {
+        "name": "sbom-freshness",
+        "materialName": "sbom",
+        "sources": [],
+        "referenceDigest": "sha256:e9b750847ba8a5439a0a43963d22cb5c5a9568de5fdcd2db21d9615c76870c2a",
+        "referenceName": "file://policy-sbom-freshness.yaml",
+        "description": "Checks that the SBOM is not older than a specified threshold. Supports CycloneDX.\n",
+        "annotations": {
+          "category": "sbom"
+        },
+        "violations": [
+          {
+            "subject": "sbom-freshness",
+            "message": "SBOM created at: 2020-08-02T21:27:04Z which is too old (freshness limit set to 5 days)"
+          }
+        ],
+        "with": {
+          "limit": "5"
+        },
+        "type": "SBOM_CYCLONEDX_JSON",
+        "policyReference": {
+          "name": "sbom-freshness",
+          "digest": "sha256:e9b750847ba8a5439a0a43963d22cb5c5a9568de5fdcd2db21d9615c76870c2a",
+          "uri": "file://policy-sbom-freshness.yaml"
+        }
+      }
+    ],
     "materials": {
       "build-ref": {
         "string": {
@@ -83,4 +116,4 @@
     "runnerType": "GITHUB_ACTION"
   },
   "dryRun": true
-}
+}
diff --git a/pkg/attestation/renderer/chainloop/v02.go b/pkg/attestation/renderer/chainloop/v02.go
diff --git a/pkg/attestation/renderer/chainloop/v02_test.go b/pkg/attestation/renderer/chainloop/v02_test.go
