feat(dependency-track): add fanout entry filtering (#2119)

Signed-off-by: Sylwester Piskozub <[email protected]>

Author: Piskoo

app/cli/cmd/attached_integration_add.go

@@ -28,7 +28,11 @@ func newAttachedIntegrationAttachCmd() *cobra.Command {
 		Use:     "add",
 		Aliases: []string{"attach"},
 		Short:   "Attach an existing registered integration to a workflow",
-		Example: `  chainloop integration attached add --workflow deadbeef --project my-project --integration beefdoingwell --opt projectName=MyProject --opt projectVersion=1.0.0`,
+		Example: `  chainloop integration attached add --workflow deadbeef --project my-project --integration beefdoingwell --opt projectName=MyProject --opt projectVersion=1.0.0
+
+  # Only send SBOMs to dependency track when the annotations in the attestation or material match the filter in an AND operation. 
+  Note: material annotations take precedence over attestation ones.
+  chainloop integration attached add --workflow deadbeef --project my-project --integration dependency-track --opt projectName=MyProject --opt filter="environment=prod,team=security"`,
 		RunE: func(_ *cobra.Command, _ []string) error {
 			// Find the integration to extract the kind of integration we care about
 			integration, err := action.NewRegisteredIntegrationDescribe(actionOpts).Run(integrationName)

app/cli/documentation/cli-reference.mdx

@@ -1363,6 +1363,10 @@ Examples
 
 ```
 chainloop integration attached add --workflow deadbeef --project my-project --integration beefdoingwell --opt projectName=MyProject --opt projectVersion=1.0.0
+
+Only send SBOMs to dependency track when the annotations in the attestation or material match the filter in an AND operation.
+Note: material annotations take precedence over attestation ones.
+chainloop integration attached add --workflow deadbeef --project my-project --integration dependency-track --opt projectName=MyProject --opt filter="environment=prod,team=security"
 ```
 
 Options
@@ -2629,6 +2633,10 @@ Examples
 
 ```
 chainloop integration attached add --workflow deadbeef --project my-project --integration beefdoingwell --opt projectName=MyProject --opt projectVersion=1.0.0
+
+Only send SBOMs to dependency track when the annotations in the attestation or material match the filter in an AND operation.
+Note: material annotations take precedence over attestation ones.
+chainloop integration attached add --workflow deadbeef --project my-project --integration dependency-track --opt projectName=MyProject --opt filter="environment=prod,team=security"
 ```
 
 Options

app/controlplane/plugins/core/dependency-track/v1/README.md

@@ -45,6 +45,7 @@ See https://docs.chainloop.dev/guides/dependency-track/
 
 |Field|Type|Required|Description|
 |---|---|---|---|
+|filter|string|no|Comma-separated annotation filters where material annotations take precedence over attestation when keys match|
 |parentID|string|no|ID of parent project to create a new project under|
 |projectID|string|no|The ID of the existing project to send the SBOMs to|
 |projectName|string|no|The name of the project to create and send the SBOMs to|
@@ -82,6 +83,11 @@ See https://docs.chainloop.dev/guides/dependency-track/
       "type": "string",
       "minLength": 1,
       "description": "ID of parent project to create a new project under"
+    },
+    "filter": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Comma-separated annotation filters where material annotations take precedence over attestation when keys match"
     }
   },
   "additionalProperties": false,

app/controlplane/plugins/core/dependency-track/v1/extension.go

@@ -49,6 +49,7 @@ type attachmentRequest struct {
 	ProjectName string `json:"projectName,omitempty" jsonschema:"oneof_required=projectName,minLength=1,description=The name of the project to create and send the SBOMs to"`
 
 	ParentID string `json:"parentID,omitempty" jsonschema:"minLength=1,description=ID of parent project to create a new project under"`
+	Filter   string `json:"filter,omitempty" jsonschema:"minLength=1,description=Comma-separated annotation filters where material annotations take precedence over attestation when keys match"`
 }
 
 // Enforces the requirement that parentID requires the presence of projectName
@@ -71,6 +72,7 @@ type attachmentConfig struct {
 	ProjectID   string `json:"projectId"`
 	ProjectName string `json:"projectName"`
 	ParentID    string `json:"parentId"`
+	Filter      string `json:"filter"`
 }
 
 const description = "Send CycloneDX SBOMs to your Dependency-Track instance"
@@ -79,7 +81,7 @@ func New(l log.Logger) (sdk.FanOut, error) {
 	base, err := sdk.NewFanOut(
 		&sdk.NewParams{
 			ID:          "dependency-track",
-			Version:     "1.6",
+			Version:     "1.7",
 			Description: description,
 			Logger:      l,
 			InputSchema: &sdk.InputSchema{
@@ -148,10 +150,10 @@ func (i *DependencyTrack) Attach(ctx context.Context, req *sdk.AttachmentRequest
 		return nil, fmt.Errorf("invalid attachment configuration: %w", err)
 	}
 
-	i.Logger.Infow("msg", "attachment OK", "projectID", request.ProjectID, "projectName", request.ProjectName, "parentID", request.ParentID)
+	i.Logger.Infow("msg", "attachment OK", "projectID", request.ProjectID, "projectName", request.ProjectName, "parentID", request.ParentID, "filter", request.Filter)
 
 	// We want to store the project configuration
-	rawConfig, err := sdk.ToConfig(&attachmentConfig{ProjectID: request.ProjectID, ProjectName: request.ProjectName, ParentID: request.ParentID})
+	rawConfig, err := sdk.ToConfig(&attachmentConfig{ProjectID: request.ProjectID, ProjectName: request.ProjectName, ParentID: request.ParentID, Filter: request.Filter})
 	if err != nil {
 		return nil, fmt.Errorf("marshalling configuration: %w", err)
 	}
@@ -197,6 +199,16 @@ func doExecute(ctx context.Context, req *sdk.ExecutionRequest, sbom *sdk.Execute
 		return errors.New("invalid attachment configuration")
 	}
 
+	// Check if upload filter is specified and if it matches annotations
+	if attachmentConfig.Filter != "" {
+		attestationAnnotations := req.Input.Attestation.Predicate.GetAnnotations()
+		materialAnnotations := sbom.Annotations
+		if err := verifyAllFilters(attestationAnnotations, materialAnnotations, attachmentConfig.Filter); err != nil {
+			l.Infow("msg", "filter conditions not met, SKIPPING", "err", err, "materialName", sbom.Name)
+			return nil
+		}
+	}
+
 	// Calculate the project name based on the template
 
 	projectName, err := resolveProjectName(attachmentConfig.ProjectName, req.Input.Attestation.Predicate.GetAnnotations(), sbom.Annotations)
@@ -244,6 +256,38 @@ func doExecute(ctx context.Context, req *sdk.ExecutionRequest, sbom *sdk.Execute
 	return nil
 }
 
+// verify if all filter conditions are met by either:
+// 1) Material annotations (higher precedence if same key exists in both)
+// 2) Attestation annotations (fallback if key not in material)
+func verifyAllFilters(attestationAnnotations, materialAnnotations map[string]string, filter string) error {
+	if filter == "" {
+		return nil
+	}
+
+	for _, f := range strings.Split(filter, ",") {
+		parts := strings.SplitN(strings.TrimSpace(f), "=", 2)
+		if len(parts) != 2 {
+			return fmt.Errorf("invalid filter segment '%s' - must be 'key=value'", f)
+		}
+
+		key, value := parts[0], parts[1]
+
+		if matVal, exists := materialAnnotations[key]; exists {
+			if matVal != value {
+				return fmt.Errorf("material annotation mismatch: %s=%s (expected %s)", key, matVal, value)
+			}
+			continue
+		}
+
+		if attVal, exists := attestationAnnotations[key]; !exists {
+			return fmt.Errorf("missing required annotation: %s", key)
+		} else if attVal != value {
+			return fmt.Errorf("attestation annotation mismatch: %s=%s (expected %s)", key, attVal, value)
+		}
+	}
+	return nil
+}
+
 type interpolationContext struct {
 	Material    *annotations
 	Attestation *annotations
@@ -332,6 +376,10 @@ func validateAttachmentConfiguration(rc *registrationConfig, ac *attachmentReque
 		return errors.New("project name must be provided to work with parent id")
 	}
 
+	if err := validateFilter(ac.Filter); err != nil {
+		return fmt.Errorf("invalid filter: %w", err)
+	}
+
 	return nil
 }
 
@@ -358,3 +406,17 @@ func validateExecuteOpts(m *sdk.ExecuteMaterial, regConfig *sdk.RegistrationResp
 
 	return nil
 }
+
+func validateFilter(filter string) error {
+	if filter == "" {
+		return nil
+	}
+
+	for _, f := range strings.Split(filter, ",") {
+		f = strings.TrimSpace(f)
+		if !strings.Contains(f, "=") || strings.HasPrefix(f, "=") || strings.HasSuffix(f, "=") {
+			return fmt.Errorf("invalid filter segment '%s' - must be 'key=value'", f)
+		}
+	}
+	return nil
+}

app/controlplane/plugins/core/dependency-track/v1/extension_test.go

@@ -305,16 +305,18 @@ func TestValidateExecuteOpts(t *testing.T) {
 
 func TestValidateAttachmentConfiguration(t *testing.T) {
 	testCases := []struct {
-		allowAutoCreate                  bool
-		projectID, projectName, parentID string
-		errMsg                           string
+		allowAutoCreate                          bool
+		projectID, projectName, parentID, filter string
+		errMsg                                   string
 	}{
-		{false, "project-id", "", "", ""},
-		{true, "", "project-name", "", ""},
-		{true, "", "project-name", "parent-id", ""},
-		{false, "", "project-name", "", "auto creation of projects is not supported in this integration"},
-		{false, "", "", "", "project id or name must be provided"},
-		{false, "project-id", "", "parent-id", "project name must be provided to work with parent id"},
+		{false, "project-id", "", "", "", ""},
+		{true, "", "project-name", "", "", ""},
+		{true, "", "project-name", "parent-id", "", ""},
+		{false, "", "project-name", "", "", "auto creation of projects is not supported in this integration"},
+		{false, "", "", "", "", "project id or name must be provided"},
+		{false, "project-id", "", "parent-id", "", "project name must be provided to work with parent id"},
+		{true, "", "project-name", "", "environment=prod", ""},
+		{true, "", "project-name", "", "filter", "invalid filter: invalid filter segment 'filter' - must be 'key=value'"},
 	}
 
 	for _, tc := range testCases {
@@ -326,6 +328,7 @@ func TestValidateAttachmentConfiguration(t *testing.T) {
 			ProjectID:   tc.projectID,
 			ProjectName: tc.projectName,
 			ParentID:    tc.parentID,
+			Filter:      tc.filter,
 		}
 		err := validateAttachmentConfiguration(rc, ac)
 		if tc.errMsg != "" {
@@ -335,3 +338,76 @@ func TestValidateAttachmentConfiguration(t *testing.T) {
 		}
 	}
 }
+
+func TestVerifyAllFilters(t *testing.T) {
+	attestationAnnotations := map[string]string{
+		"environment": "prod",
+		"team":        "security",
+	}
+
+	materialAnnotations := map[string]string{
+		"environment": "staging",
+		"critical":    "true",
+	}
+
+	testCases := []struct {
+		name   string
+		filter string
+		errMsg string
+	}{
+		{
+			name:   "material annotation exact match",
+			filter: "critical=true",
+		},
+		{
+			name:   "material precedence over attestation for same key",
+			filter: "environment=staging",
+		},
+		{
+			name:   "material value mismatch fails",
+			filter: "environment=prod",
+			errMsg: "material annotation mismatch",
+		},
+		{
+			name:   "attestation annotation fallback match",
+			filter: "team=security",
+		},
+		{
+			name:   "attestation value mismatch fails",
+			filter: "team=infra",
+			errMsg: "attestation annotation mismatch",
+		},
+		{
+			name:   "missing annotation fails",
+			filter: "nonexistent=value",
+			errMsg: "missing required annotation",
+		},
+		{
+			name:   "multiple conditions all match",
+			filter: "environment=staging,team=security",
+		},
+		{
+			name:   "one mismatched condition fails entire filter",
+			filter: "environment=staging,team=infra",
+			errMsg: "attestation annotation mismatch",
+		},
+		{
+			name:   "invalid filter format",
+			filter: "environment",
+			errMsg: "invalid filter segment",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := verifyAllFilters(attestationAnnotations, materialAnnotations, tc.filter)
+
+			if tc.errMsg != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.errMsg)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

devel/integrations.md

@@ -10,7 +10,7 @@ Below you can find the list of currently available integrations. If you can't fi
 
 | ID | Version | Description | Material Requirement |
 | --- | --- | --- | --- |
-| [dependency-track](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/dependency-track/v1/README.md) | 1.6 | Send CycloneDX SBOMs to your Dependency-Track instance | SBOM_CYCLONEDX_JSON |
+| [dependency-track](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/dependency-track/v1/README.md) | 1.7 | Send CycloneDX SBOMs to your Dependency-Track instance | SBOM_CYCLONEDX_JSON |
 | [discord-webhook](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/discord-webhook/v1/README.md) | 1.1 | Send attestations to Discord |  |
 | [guac](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/guac/v1/README.md) | 1.0 | Export Attestation and SBOMs metadata to a blob storage backend so guacsec/guac can consume it | SBOM_CYCLONEDX_JSON, SBOM_SPDX_JSON |
 | [slack-webhook](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/slack-webhook/v1/README.md) | 1.0 | Send attestations to Slack |  |