Merge pull request #3259 from crazy-max/build-metadata-provenance-02

build: fix buildx.build.provenance metadata

Author: crazy-max

build/provenance.go

@@ -13,6 +13,7 @@ import (
 	"github.com/containerd/containerd/v2/core/content/proxy"
 	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/progress"
+	slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
 	controlapi "github.com/moby/buildkit/api/services/control"
 	"github.com/moby/buildkit/client"
 	provenancetypes "github.com/moby/buildkit/solver/llbsolver/provenance/types"
@@ -22,15 +23,6 @@ import (
 	"golang.org/x/sync/errgroup"
 )
 
-type provenancePredicate struct {
-	Builder *provenanceBuilder `json:"builder,omitempty"`
-	provenancetypes.ProvenancePredicateSLSA02
-}
-
-type provenanceBuilder struct {
-	ID string `json:"id,omitempty"`
-}
-
 func setRecordProvenance(ctx context.Context, c *client.Client, sr *client.SolveResponse, ref string, mode confutil.MetadataProvenanceMode, pw progress.Writer) error {
 	if mode == confutil.MetadataProvenanceModeDisabled {
 		return nil
@@ -69,7 +61,7 @@ func fetchProvenance(ctx context.Context, c *client.Client, ref string, mode con
 			continue
 		}
 		if ev.Record.Result != nil {
-			desc := lookupProvenance(ev.Record.Result)
+			desc, predicateType := lookupProvenance(ev.Record.Result)
 			if desc == nil {
 				continue
 			}
@@ -78,7 +70,7 @@ func fetchProvenance(ctx context.Context, c *client.Client, ref string, mode con
 				if err != nil {
 					return errors.Wrapf(err, "failed to load provenance blob from build record")
 				}
-				prv, err := encodeProvenance(dt, mode)
+				prv, err := encodeProvenance(dt, predicateType, mode)
 				if err != nil {
 					return err
 				}
@@ -92,7 +84,7 @@ func fetchProvenance(ctx context.Context, c *client.Client, ref string, mode con
 			})
 		} else if ev.Record.Results != nil {
 			for platform, res := range ev.Record.Results {
-				desc := lookupProvenance(res)
+				desc, predicateType := lookupProvenance(res)
 				if desc == nil {
 					continue
 				}
@@ -101,7 +93,7 @@ func fetchProvenance(ctx context.Context, c *client.Client, ref string, mode con
 					if err != nil {
 						return errors.Wrapf(err, "failed to load provenance blob from build record")
 					}
-					prv, err := encodeProvenance(dt, mode)
+					prv, err := encodeProvenance(dt, predicateType, mode)
 					if err != nil {
 						return err
 					}
@@ -119,35 +111,37 @@ func fetchProvenance(ctx context.Context, c *client.Client, ref string, mode con
 	return out, eg.Wait()
 }
 
-func lookupProvenance(res *controlapi.BuildResultInfo) *ocispecs.Descriptor {
+func lookupProvenance(res *controlapi.BuildResultInfo) (*ocispecs.Descriptor, string) {
 	for _, a := range res.Attestations {
 		if a.MediaType == "application/vnd.in-toto+json" && strings.HasPrefix(a.Annotations["in-toto.io/predicate-type"], "https://slsa.dev/provenance/") {
 			return &ocispecs.Descriptor{
 				Digest:      digest.Digest(a.Digest),
 				Size:        a.Size,
 				MediaType:   a.MediaType,
 				Annotations: a.Annotations,
-			}
+			}, a.Annotations["in-toto.io/predicate-type"]
 		}
 	}
-	return nil
+	return nil, ""
 }
 
-func encodeProvenance(dt []byte, mode confutil.MetadataProvenanceMode) (string, error) {
-	var prv provenancePredicate
-	if err := json.Unmarshal(dt, &prv); err != nil {
+func encodeProvenance(dt []byte, predicateType string, mode confutil.MetadataProvenanceMode) (string, error) {
+	var pred *provenancetypes.ProvenancePredicateSLSA02
+	if predicateType == slsa1.PredicateSLSAProvenance {
+		var pred1 *provenancetypes.ProvenancePredicateSLSA1
+		if err := json.Unmarshal(dt, &pred1); err != nil {
+			return "", errors.Wrapf(err, "failed to unmarshal provenance")
+		}
+		pred = pred1.ConvertToSLSA02()
+	} else if err := json.Unmarshal(dt, &pred); err != nil {
 		return "", errors.Wrapf(err, "failed to unmarshal provenance")
 	}
-	if prv.Builder != nil && prv.Builder.ID == "" {
-		// reset builder if id is empty
-		prv.Builder = nil
-	}
 	if mode == confutil.MetadataProvenanceModeMin {
 		// reset fields for minimal provenance
-		prv.BuildConfig = nil
-		prv.Metadata = nil
+		pred.BuildConfig = nil
+		pred.Metadata = nil
 	}
-	dtprv, err := json.Marshal(prv)
+	dtprv, err := json.Marshal(pred)
 	if err != nil {
 		return "", errors.Wrapf(err, "failed to marshal provenance")
 	}

commands/history/inspect.go

@@ -441,7 +441,7 @@ workers0:
 			if err := json.Unmarshal(dt, &pred02); err != nil {
 				return errors.Errorf("failed to unmarshal provenance %s: %v", prov.descr.Digest, err)
 			}
-			pred = provenancetypes.ConvertSLSA02ToSLSA1(pred02)
+			pred = pred02.ConvertToSLSA1()
 		} else if err := json.Unmarshal(dt, &pred); err != nil {
 			return errors.Errorf("failed to unmarshal provenance %s: %v", prov.descr.Digest, err)
 		}

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.23.0
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/moby/buildkit v0.23.0
+	github.com/moby/buildkit v0.23.0-rc1.0.20250618182037-9b91d20367db // master
 	github.com/moby/go-archive v0.1.0
 	github.com/moby/sys/atomicwriter v0.1.0
 	github.com/moby/sys/mountinfo v0.7.2

go.sum

@@ -250,8 +250,8 @@ github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZX
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/moby/buildkit v0.23.0 h1:HV+u7xM2IZhAjVautFR2l5FNhkxFR0jhF5ILXyc3398=
-github.com/moby/buildkit v0.23.0/go.mod h1:v5jMDvQgUyidk3wu3NvVAAd5JJo83nfet9Gf/o0+EAQ=
+github.com/moby/buildkit v0.23.0-rc1.0.20250618182037-9b91d20367db h1:ZzrDuG9G1A/RwJvuogNplxCEKsIUQh1CqEnqbOGFgKE=
+github.com/moby/buildkit v0.23.0-rc1.0.20250618182037-9b91d20367db/go.mod h1:v5jMDvQgUyidk3wu3NvVAAd5JJo83nfet9Gf/o0+EAQ=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=

tests/bake.go

@@ -1398,7 +1398,7 @@ target "default" {
 
 	var prv provenancetypes.ProvenancePredicateSLSA02
 	require.NoError(t, json.Unmarshal(dtprv, &prv))
-	require.Equal(t, provenancetypes.BuildKitBuildType, prv.BuildType)
+	require.Equal(t, provenancetypes.BuildKitBuildType02, prv.BuildType)
 }
 
 func testBakeMetadataWarnings(t *testing.T, sb integration.Sandbox) {

tests/build.go

@@ -835,7 +835,7 @@ func buildMetadataProvenance(t *testing.T, sb integration.Sandbox, metadataMode
 
 	var prv provenancetypes.ProvenancePredicateSLSA02
 	require.NoError(t, json.Unmarshal(dtprv, &prv))
-	require.Equal(t, provenancetypes.BuildKitBuildType, prv.BuildType)
+	require.Equal(t, provenancetypes.BuildKitBuildType02, prv.BuildType)
 }
 
 func testBuildMetadataWarnings(t *testing.T, sb integration.Sandbox) {

vendor/github.com/moby/buildkit/solver/llbsolver/provenance/types/types.go

@@ -447,7 +447,7 @@ github.com/mitchellh/go-wordwrap
 # github.com/mitchellh/hashstructure/v2 v2.0.2
 ## explicit; go 1.14
 github.com/mitchellh/hashstructure/v2
-# github.com/moby/buildkit v0.23.0
+# github.com/moby/buildkit v0.23.0-rc1.0.20250618182037-9b91d20367db
 ## explicit; go 1.23.0
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types