refactor: migrate application snapshot VSA to per-image implementation and enable signing

- Refactored ApplicationSnapshot VSA generation to use the per-image VSA generation logic
- Simplified snapshot-level VSA flow by reusing component-level signing implementation
- Added support for signing ApplicationSnapshot VSAs using the same key and process as per-image VSAs
- Removed legacy snapshot-specific logic that is now redundant

Co-authored-by: OpenAI GPT-4.1 <[email protected]>

Author: joejstuart

cmd/validate/image.go

@@ -26,6 +26,7 @@ import (
 	"strings"
 
 	hd "github.com/MakeNowJust/heredoc"
+	"github.com/google/go-containerregistry/pkg/name"
 	app "github.com/konflux-ci/application-api/api/v1alpha1"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	log "github.com/sirupsen/logrus"
@@ -39,6 +40,7 @@ import (
 	"github.com/conforma/cli/internal/policy"
 	"github.com/conforma/cli/internal/policy/source"
 	"github.com/conforma/cli/internal/utils"
+	"github.com/conforma/cli/internal/utils/oci"
 	validate_utils "github.com/conforma/cli/internal/validate"
 	"github.com/conforma/cli/internal/validate/vsa"
 )
@@ -458,40 +460,45 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 			}
 
 			if data.vsaEnabled {
-				generator := vsa.NewGenerator(report)
-				writer := vsa.NewWriter()
-				for _, comp := range components {
-					writtenPath, err := vsa.GenerateAndWriteVSA(cmd.Context(), generator, writer, comp)
-					if err != nil {
-						log.Error(err)
-						continue
-					}
+				signer, err := vsa.NewSigner(data.vsaSigningKey, utils.FS(cmd.Context()))
+				if err != nil {
+					log.Error(err)
+					return err
+				}
 
-					signer, err := vsa.NewSigner(data.vsaSigningKey, utils.FS(cmd.Context()))
-					if err != nil {
-						log.Error(err)
-						continue
-					}
+				// Create VSA service
+				vsaService := vsa.NewServiceWithFS(signer, utils.FS(cmd.Context()))
 
-					// Get the git URL safely, defaulting to empty string if GitSource is nil
-					var gitURL string
+				// Define helper functions for getting git URL and digest
+				getGitURL := func(comp applicationsnapshot.Component) string {
 					if comp.Source.GitSource != nil {
-						gitURL = comp.Source.GitSource.URL
+						return comp.Source.GitSource.URL
 					}
+					return ""
+				}
 
-					attestor, err := vsa.NewAttestor(writtenPath, gitURL, comp.ContainerImage, signer)
+				getDigest := func(comp applicationsnapshot.Component) (string, error) {
+					imageRef, err := name.ParseReference(comp.ContainerImage)
 					if err != nil {
-						log.Error(err)
-						continue
+						return "", fmt.Errorf("failed to parse image reference %s: %v", comp.ContainerImage, err)
 					}
-					envelope, err := vsa.AttestVSA(cmd.Context(), attestor, comp)
+
+					digest, err := oci.NewClient(cmd.Context()).ResolveDigest(imageRef)
 					if err != nil {
-						log.Error(err)
-						continue
+						return "", fmt.Errorf("failed to resolve digest for image %s: %v", comp.ContainerImage, err)
 					}
-					log.Infof("[VSA] VSA attested and envelope written to %s", envelope)
+
+					return digest, nil
+				}
+
+				// Process all VSAs using the service
+				err = vsaService.ProcessAllVSAs(cmd.Context(), report, getGitURL, getDigest)
+				if err != nil {
+					log.Errorf("Failed to process VSAs: %v", err)
+					// Don't return error here, continue with the rest of the command
 				}
 			}
+
 			if data.strict && !report.Success {
 				return errors.New("success criteria not met")
 			}

internal/applicationsnapshot/digest.go

@@ -0,0 +1,17 @@
+package applicationsnapshot
+
+import (
+	"crypto/sha256"
+	"fmt"
+
+	"github.com/spf13/afero"
+)
+
+// GetVSAPredicateDigest calculates the sha256 digest of the given file path.
+func GetVSAPredicateDigest(fs afero.Fs, path string) (string, error) {
+	data, err := afero.ReadFile(fs, path)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("sha256:%x", sha256.Sum256(data)), nil
+}

internal/applicationsnapshot/report.go

@@ -18,6 +18,7 @@ package applicationsnapshot
 
 import (
 	"bytes"
+	"context"
 	"embed"
 	"encoding/json"
 	"encoding/xml"
@@ -219,11 +220,12 @@ func (r *Report) toFormat(format string) (data []byte, err error) {
 }
 
 func (r *Report) toVSA() ([]byte, error) {
-	vsa, err := NewVSA(*r)
+	generator := NewSnapshotVSAGenerator(*r)
+	predicate, err := generator.GeneratePredicate(context.Background())
 	if err != nil {
 		return []byte{}, err
 	}
-	return json.Marshal(vsa)
+	return json.Marshal(predicate)
 }
 
 // toSummary returns a condensed version of the report.

internal/applicationsnapshot/vsa.go

@@ -17,45 +17,74 @@
 package applicationsnapshot
 
 import (
-	"github.com/in-toto/in-toto-golang/in_toto"
-)
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
 
-const (
-	// Make it visible elsewhere
-	PredicateVSAProvenance = "https://conforma.dev/verification_summary/v1"
-	StatmentVSA            = "https://in-toto.io/Statement/v1"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/afero"
 )
 
-type ProvenanceStatementVSA struct {
-	in_toto.StatementHeader
-	Predicate Report `json:"predicate"`
+// SnapshotVSAWriter handles writing application snapshot VSA predicates to files
+type SnapshotVSAWriter struct {
+	FS            afero.Fs    // defaults to afero.NewOsFs()
+	TempDirPrefix string      // defaults to "snapshot-vsa-"
+	FilePerm      os.FileMode // defaults to 0600
+}
+
+// NewSnapshotVSAWriter creates a new application snapshot VSA file writer
+func NewSnapshotVSAWriter() *SnapshotVSAWriter {
+	return &SnapshotVSAWriter{
+		FS:            afero.NewOsFs(),
+		TempDirPrefix: "snapshot-vsa-",
+		FilePerm:      0o600,
+	}
 }
 
-func NewVSA(report Report) (ProvenanceStatementVSA, error) {
-	subjects, err := getSubjects(report)
+// WritePredicate writes the Report as a VSA predicate to a file
+func (w *SnapshotVSAWriter) WritePredicate(report Report) (string, error) {
+	log.Infof("Writing application snapshot VSA")
+
+	// Serialize with indent
+	data, err := json.MarshalIndent(report, "", "  ")
 	if err != nil {
-		return ProvenanceStatementVSA{}, err
+		return "", fmt.Errorf("failed to marshal application snapshot VSA: %w", err)
 	}
 
-	return ProvenanceStatementVSA{
-		StatementHeader: in_toto.StatementHeader{
-			Type:          StatmentVSA,
-			PredicateType: PredicateVSAProvenance,
-			Subject:       subjects,
-		},
-		Predicate: report,
-	}, nil
-}
+	// Create temp directory
+	tempDir, err := afero.TempDir(w.FS, "", w.TempDirPrefix)
+	if err != nil {
+		return "", fmt.Errorf("failed to create temp directory: %w", err)
+	}
 
-func getSubjects(report Report) ([]in_toto.Subject, error) {
-	statements, err := report.attestations()
+	// Write to file
+	filename := "application-snapshot-vsa.json"
+	filepath := filepath.Join(tempDir, filename)
+	err = afero.WriteFile(w.FS, filepath, data, w.FilePerm)
 	if err != nil {
-		return []in_toto.Subject{}, err
+		return "", fmt.Errorf("failed to write application snapshot VSA to file: %w", err)
 	}
 
-	var subjects []in_toto.Subject
-	for _, stmt := range statements {
-		subjects = append(subjects, stmt.Subject...)
+	log.Infof("Application snapshot VSA written to: %s", filepath)
+	return filepath, nil
+}
+
+type SnapshotVSAGenerator struct {
+	Report Report
+}
+
+// NewSnapshotVSAGenerator creates a new VSA predicate generator for application snapshots
+func NewSnapshotVSAGenerator(report Report) *SnapshotVSAGenerator {
+	return &SnapshotVSAGenerator{
+		Report: report,
 	}
-	return subjects, nil
+}
+
+// GeneratePredicate creates a VSA predicate for the entire application snapshot
+func (g *SnapshotVSAGenerator) GeneratePredicate(ctx context.Context) (Report, error) {
+	log.Infof("Generating application snapshot VSA predicate with %d components", len(g.Report.Components))
+
+	return g.Report, nil
 }

internal/applicationsnapshot/vsa_test.go

@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     http://www.apache.org/licenses/LICENSE-2.0
+//	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,104 +20,72 @@ package applicationsnapshot
 
 import (
 	"context"
-	"encoding/json"
-	"fmt"
+	"os"
+	"path/filepath"
 	"testing"
 
 	ecc "github.com/enterprise-contract/enterprise-contract-controller/api/v1alpha1"
-	"github.com/in-toto/in-toto-golang/in_toto"
 	app "github.com/konflux-ci/application-api/api/v1alpha1"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/conforma/cli/internal/evaluator"
-	"github.com/conforma/cli/internal/policy"
-	"github.com/conforma/cli/internal/utils"
 )
 
-func TestNewVSA(t *testing.T) {
-	components := []Component{
-		{
-			SnapshotComponent: app.SnapshotComponent{Name: "component1"},
-			Violations: []evaluator.Result{
-				{
-					Message: "violation1",
-				},
-			},
-			Attestations: []AttestationResult{
-				{
-					Statement: []byte{},
+func TestSnapshotVSAGenerator_GeneratePredicate(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a test report
+	report := Report{
+		Components: []Component{
+			{
+				SnapshotComponent: app.SnapshotComponent{
+					Name:           "test-component",
+					ContainerImage: "test-image:latest",
 				},
+				Success:    true,
+				Violations: []evaluator.Result{},
+				Warnings:   []evaluator.Result{},
+				Successes:  []evaluator.Result{},
 			},
 		},
+		Policy: ecc.EnterpriseContractPolicySpec{
+			Name: "test-policy",
+		},
 	}
 
-	utils.SetTestRekorPublicKey(t)
-	pkey := utils.TestPublicKey
-	testPolicy, err := policy.NewPolicy(context.Background(), policy.Options{
-		PublicKey:     pkey,
-		EffectiveTime: policy.Now,
-		PolicyRef:     toJson(&ecc.EnterpriseContractPolicySpec{PublicKey: pkey}),
-	})
-	assert.NoError(t, err)
+	generator := NewSnapshotVSAGenerator(report)
 
-	report, err := NewReport("snappy", components, testPolicy, nil, true)
-	assert.NoError(t, err)
+	predicate, err := generator.GeneratePredicate(ctx)
+	require.NoError(t, err)
 
-	expected := ProvenanceStatementVSA{
-		StatementHeader: in_toto.StatementHeader{
-			Type:          "https://in-toto.io/Statement/v1",
-			PredicateType: "https://conforma.dev/verification_summary/v1",
-			Subject:       nil,
-		},
-		Predicate: report,
-	}
-	vsa, err := NewVSA(report)
-	assert.NoError(t, err)
-	assert.Equal(t, expected, vsa)
+	// Verify the predicate is the same as the report
+	assert.Equal(t, report, predicate)
 }
 
-func TestSubjects(t *testing.T) {
-	expected := []in_toto.Subject{
-		{
-			Name:   "my-subject",
-			Digest: nil,
-		},
-	}
-
-	statement := in_toto.Statement{
-		StatementHeader: in_toto.StatementHeader{
-			Subject: expected,
-		},
-	}
-	data, err := json.Marshal(statement)
-	assert.NoError(t, err)
-
-	components := []Component{
-		{
-			SnapshotComponent: app.SnapshotComponent{Name: "component1"},
-			Violations: []evaluator.Result{
-				{
-					Message: "violation1",
-				},
-			},
-			Attestations: []AttestationResult{
-				{
-					Statement: data,
+func TestSnapshotVSAWriter_WritePredicate(t *testing.T) {
+	// Create a test report
+	report := Report{
+		Components: []Component{
+			{
+				SnapshotComponent: app.SnapshotComponent{
+					Name:           "test-component",
+					ContainerImage: "test-image:latest",
 				},
+				Success: true,
 			},
 		},
 	}
 
-	report := Report{Components: components}
-	subjects, err := getSubjects(report)
-	assert.NoError(t, err)
-	assert.Equal(t, expected, subjects)
-}
+	writer := NewSnapshotVSAWriter()
 
-func toJson(policy any) string {
-	newInline, err := json.Marshal(policy)
-	if err != nil {
-		panic(fmt.Errorf("invalid JSON: %w", err))
-	}
-	return string(newInline)
+	path, err := writer.WritePredicate(report)
+	require.NoError(t, err)
+
+	// Verify the file was created and contains valid JSON
+	assert.Contains(t, path, "snapshot-vsa-")
+	assert.Contains(t, path, "application-snapshot-vsa.json")
+
+	// Clean up
+	os.RemoveAll(filepath.Dir(path))
 }