feat: CSAF VEX / OpenVEX material type support (#356)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

README.md

@@ -118,6 +118,21 @@ SecOps are the ones in charge of defining the Workflow Contracts, setting up thi
 
 Development teams on the other hand, just need to integrate Chainloop's jargon-free [crafting tool](https://docs.chainloop.dev/getting-started/attestation-crafting) and follow the steps via a familiar DevExp to make sure they comply with the Workflow Contract defined by the SecOps team. No need to learn in-toto, signing, SLSA, OCI, APIs, nada :)
 
+## Supported Pieces of Evidence / Materials
+
+Chainloop supports the collection of the following pieces of evidence types:
+
+- [Container Image Reference](https://github.com/opencontainers/image-spec)
+- [CycloneDX SBOM](https://github.com/CycloneDX/specification)
+- [SPDX SBOM](https://spdx.dev/specifications/)
+- [CSAF VEX](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html)
+- [OpenVEX](https://github.com/openvex)
+- [JUnit](https://www.ibm.com/docs/en/developer-for-zos/14.1?topic=formats-junit-xml-format)
+- Generic Artifact Types
+- Key-Value metadata pairs
+
+During the attestation process, these pieces of evidence will get uploaded to the [Content Addressable Storage](https://docs.chainloop.dev/reference/operator/cas-backend/) (if applicable) and referenced in a [SLSA](https://slsa.dev) attestation.
+
 ## Documentation
 
 To learn more, please visit the Chainloop project's documentation website, https://docs.chainloop.dev where you will find a getting started guide, FAQ, examples, and more.

app/controlplane/api/gen/frontend/workflowcontract/v1/crafting_schema.ts

@@ -17,59 +17,66 @@ syntax = "proto3";
 
 package workflowcontract.v1;
 
-option go_package = "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1";
-
 import "validate/validate.proto";
 
+option go_package = "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1";
+
 // Schema definition provided by the user to the tool
 // that defines the schema of the workflowRun
 message CraftingSchema {
-    // Version of the schema, do not confuse with the revision of the content
-    string schema_version = 1 [(validate.rules).string.const = "v1"];
-    repeated Material materials = 2;
-    repeated string env_allow_list = 3;
-    Runner runner = 4;
-    // List of annotations that can be used to add metadata to the attestation
-    // this metadata can be used later on by the integrations engine to filter and interpolate data
-    // It works in addition to the annotations defined in the materials and the runner
-    repeated Annotation annotations = 5;
+  // Version of the schema, do not confuse with the revision of the content
+  string schema_version = 1 [(validate.rules).string.const = "v1"];
+  repeated Material materials = 2;
+  repeated string env_allow_list = 3;
+  Runner runner = 4;
+  // List of annotations that can be used to add metadata to the attestation
+  // this metadata can be used later on by the integrations engine to filter and interpolate data
+  // It works in addition to the annotations defined in the materials and the runner
+  repeated Annotation annotations = 5;
 
-    message Runner {
-        RunnerType type = 1 [(validate.rules).enum = {not_in: [0]}];
+  message Runner {
+    RunnerType type = 1 [(validate.rules).enum = {
+      not_in: [0]
+    }];
 
-        enum RunnerType {
-            RUNNER_TYPE_UNSPECIFIED = 0;
-            GITHUB_ACTION = 1;
-            GITLAB_PIPELINE = 2;
-            AZURE_PIPELINE = 3;
-        } 
+    enum RunnerType {
+      RUNNER_TYPE_UNSPECIFIED = 0;
+      GITHUB_ACTION = 1;
+      GITLAB_PIPELINE = 2;
+      AZURE_PIPELINE = 3;
     }
+  }
 
-    message Material {
-        MaterialType type = 1 [(validate.rules).enum = {not_in: [0]}];
-        string name = 2 [(validate.rules).string.pattern = "^[\\w|-]+$"]; // Single word optionally separated with _ or -
-        bool optional = 3;
-        // If a material is set as output it will get added to the subject in the statement
-        bool output = 4;
-        // List of annotations that can be used to add metadata to the material
-        // this metadata can be used later on by the integrations engine to filter and interpolate data
-        repeated Annotation annotations = 5;
+  message Material {
+    MaterialType type = 1 [(validate.rules).enum = {
+      not_in: [0]
+    }];
+    string name = 2 [(validate.rules).string.pattern = "^[\\w|-]+$"]; // Single word optionally separated with _ or -
+    bool optional = 3;
+    // If a material is set as output it will get added to the subject in the statement
+    bool output = 4;
+    // List of annotations that can be used to add metadata to the material
+    // this metadata can be used later on by the integrations engine to filter and interpolate data
+    repeated Annotation annotations = 5;
 
-        enum MaterialType {
-            MATERIAL_TYPE_UNSPECIFIED = 0;
-            STRING = 1;
-            CONTAINER_IMAGE = 2;
-            ARTIFACT = 3;
-            SBOM_CYCLONEDX_JSON = 4;
-            SBOM_SPDX_JSON = 5;
-            JUNIT_XML = 6;
-            // SARIF = 5;
-        } 
+    enum MaterialType {
+      MATERIAL_TYPE_UNSPECIFIED = 0;
+      STRING = 1;
+      CONTAINER_IMAGE = 2;
+      ARTIFACT = 3;
+      SBOM_CYCLONEDX_JSON = 4;
+      SBOM_SPDX_JSON = 5;
+      JUNIT_XML = 6;
+      // https://github.com/openvex/spec
+      OPENVEX = 7;
+      // https://docs.oasis-open.org/csaf/csaf/v2.0/cs03/csaf-v2.0-cs03.html
+      CSAF_VEX = 8;
     }
+  }
 }
 
 message Annotation {
-    string name = 1 [(validate.rules).string.pattern = "^[\\w]+$"]; // Single word optionally separated with _
-    // This value can be set in the contract or provided during the attestation
-    string value = 2;
-}
+  string name = 1 [(validate.rules).string.pattern = "^[\\w]+$"]; // Single word optionally separated with _
+  // This value can be set in the contract or provided during the attestation
+  string value = 2;
+}

app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go

@@ -69,6 +69,7 @@ require (
 	github.com/invopop/jsonschema v0.7.0
 	github.com/jackc/pgx/v5 v5.4.3
 	github.com/muesli/reflow v0.3.0
+	github.com/openvex/go-vex v0.2.5
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d
 	google.golang.org/genproto/googleapis/bytestream v0.0.0-20230822172742-b8732ec3820d
@@ -91,6 +92,7 @@ require (
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/run v1.1.0 // indirect
+	github.com/package-url/packageurl-go v0.1.1 // indirect
 	github.com/pkg/xattr v0.4.9 // indirect
 	go.opentelemetry.io/otel/metric v1.17.0 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect

app/controlplane/api/workflowcontract/v1/crafting_schema.proto

@@ -951,10 +951,14 @@ github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
+github.com/openvex/go-vex v0.2.5 h1:41utdp2rHgAGCsG+UbjmfMG5CWQxs15nGqir1eRgSrQ=
+github.com/openvex/go-vex v0.2.5/go.mod h1:j+oadBxSUELkrKh4NfNb+BPo77U3q7gdKME88IO/0Wo=
 github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
 github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
+github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU=
+github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=

go.mod

@@ -0,0 +1,58 @@
+//
+// Copyright 2023 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package materials
+
+import (
+	"context"
+	"fmt"
+
+	api "github.com/chainloop-dev/chainloop/app/cli/api/attestation/v1"
+	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
+	"github.com/chainloop-dev/chainloop/internal/casclient"
+	"github.com/openvex/go-vex/pkg/csaf"
+	"github.com/rs/zerolog"
+)
+
+type CSAFVEXCrafter struct {
+	backend *casclient.CASBackend
+	*crafterCommon
+}
+
+func NewCSAFVEXCrafter(materialSchema *schemaapi.CraftingSchema_Material, backend *casclient.CASBackend, l *zerolog.Logger) (*CSAFVEXCrafter, error) {
+	if materialSchema.Type != schemaapi.CraftingSchema_Material_CSAF_VEX {
+		return nil, fmt.Errorf("material type is not CSAF_VEX format")
+	}
+
+	return &CSAFVEXCrafter{
+		backend:       backend,
+		crafterCommon: &crafterCommon{logger: l, input: materialSchema},
+	}, nil
+}
+
+func (i *CSAFVEXCrafter) Craft(ctx context.Context, filepath string) (*api.Attestation_Material, error) {
+	i.logger.Debug().Str("path", filepath).Msg("decoding CSAF VEX file")
+	doc, err := csaf.Open(filepath)
+	// parse doesn't fail if the provided file is a valid JSON, but not a valid CSAF VEX file
+	if err != nil || doc.Document.Title == "" {
+		if err != nil {
+			i.logger.Debug().Err(err).Msg("error decoding file")
+		}
+
+		return nil, fmt.Errorf("invalid CSAF VEX file: %w", ErrInvalidMaterialType)
+	}
+
+	return uploadAndCraft(ctx, i.input, i.backend, filepath, i.logger)
+}