Merge pull request moby#3918 from jedevc/purl-oci

Ensure Provenance Material URIs for OCI sources are configured to use `pkg:oci` PURLs

Author: tonistiigi

client/client_test.go

@@ -15,6 +15,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@@ -35,6 +36,7 @@ import (
 	"github.com/containerd/containerd/remotes/docker"
 	"github.com/containerd/containerd/snapshots"
 	"github.com/containerd/continuity/fs/fstest"
+	"github.com/docker/distribution/reference"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	controlapi "github.com/moby/buildkit/api/services/control"
 	"github.com/moby/buildkit/client/llb"
@@ -53,7 +55,6 @@ import (
 	"github.com/moby/buildkit/util/attestation"
 	"github.com/moby/buildkit/util/contentutil"
 	"github.com/moby/buildkit/util/entitlements"
-	"github.com/moby/buildkit/util/purl"
 	"github.com/moby/buildkit/util/testutil"
 	"github.com/moby/buildkit/util/testutil/echoserver"
 	"github.com/moby/buildkit/util/testutil/httpserver"
@@ -7564,7 +7565,14 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 
 			purls := map[string]string{}
 			for _, k := range targets {
-				p, _ := purl.RefToPURL(k, &ps[i])
+				named, err := reference.ParseNormalizedNamed(k)
+				require.NoError(t, err)
+				name := reference.FamiliarName(named)
+				version := ""
+				if tagged, ok := named.(reference.Tagged); ok {
+					version = tagged.Tag()
+				}
+				p := fmt.Sprintf("pkg:docker/%s%s@%s?platform=%s", url.QueryEscape(registry), strings.TrimPrefix(name, registry), version, url.PathEscape(platforms.Format(ps[i])))
 				purls[k] = p
 			}
 
@@ -7852,8 +7860,7 @@ func testAttestationDefaultSubject(t *testing.T, sb integration.Sandbox) {
 		require.Equal(t, "https://example.com/attestations/v1.0", attest.PredicateType)
 		require.Equal(t, map[string]interface{}{"success": true}, attest.Predicate)
 
-		name, _ := purl.RefToPURL(target, &ps[0])
-
+		name := fmt.Sprintf("pkg:docker/%s/buildkit/testattestationsemptysubject@latest?platform=%s", url.QueryEscape(registry), url.QueryEscape(platforms.Format(ps[i])))
 		subjects := []intoto.Subject{{
 			Name: name,
 			Digest: map[string]string{
@@ -8004,7 +8011,7 @@ func testAttestationBundle(t *testing.T, sb integration.Sandbox) {
 
 		require.Equal(t, "https://example.com/attestations/v1.0", attest.PredicateType)
 		require.Equal(t, map[string]interface{}{"foo": "1"}, attest.Predicate)
-		name, _ := purl.RefToPURL(target, &ps[i])
+		name := fmt.Sprintf("pkg:docker/%s/buildkit/testattestationsbundle@latest?platform=%s", url.QueryEscape(registry), url.QueryEscape(platforms.Format(ps[i])))
 		subjects := []intoto.Subject{{
 			Name: name,
 			Digest: map[string]string{

exporter/containerimage/writer.go

@@ -34,6 +34,7 @@ import (
 	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/package-url/packageurl-go"
 	"github.com/pkg/errors"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
@@ -235,7 +236,7 @@ func (ic *ImageWriter) Commit(ctx context.Context, inp *exporter.Source, session
 				if name == "" {
 					continue
 				}
-				pl, err := purl.RefToPURL(name, &p.Platform)
+				pl, err := purl.RefToPURL(packageurl.TypeDocker, name, &p.Platform)
 				if err != nil {
 					return nil, err
 				}

frontend/dockerfile/dockerfile_provenance_test.go

@@ -3,18 +3,23 @@ package dockerfile
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/content/local"
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/continuity/fs/fstest"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	provenanceCommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
@@ -871,6 +876,141 @@ RUN --mount=type=secret,id=mysecret --mount=type=secret,id=othersecret --mount=t
 	require.True(t, pred.Invocation.Parameters.SSH[0].Optional)
 }
 
+func testOCILayoutProvenance(t *testing.T, sb integration.Sandbox) {
+	integration.CheckFeatureCompat(t, sb, integration.FeatureProvenance)
+	ctx := sb.Context()
+
+	c, err := client.New(ctx, sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	registry, err := sb.NewRegistry()
+	if errors.Is(err, integration.ErrRequirements) {
+		t.Skip(err.Error())
+	}
+	require.NoError(t, err)
+	target := registry + "/buildkit/clientprovenance:ocilayout"
+
+	f := getFrontend(t, sb)
+	_, isGateway := f.(*gatewayFrontend)
+
+	ocidir := t.TempDir()
+	ociDockerfile := []byte(`
+FROM scratch
+COPY <<EOF /foo
+foo
+EOF
+	`)
+	dir, err := integration.Tmpdir(
+		t,
+		fstest.CreateFile("Dockerfile", ociDockerfile, 0600),
+	)
+	require.NoError(t, err)
+
+	_, err = f.Solve(sb.Context(), c, client.SolveOpt{
+		LocalDirs: map[string]string{
+			dockerui.DefaultLocalNameDockerfile: dir,
+			dockerui.DefaultLocalNameContext:    dir,
+		},
+		Exports: []client.ExportEntry{
+			{
+				Type:      client.ExporterOCI,
+				OutputDir: ocidir,
+				Attrs: map[string]string{
+					"tar": "false",
+				},
+			},
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	var index ocispecs.Index
+	dt, err := os.ReadFile(filepath.Join(ocidir, "index.json"))
+	require.NoError(t, err)
+	err = json.Unmarshal(dt, &index)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(index.Manifests))
+	digest := index.Manifests[0].Digest.Hex()
+
+	store, err := local.NewStore(ocidir)
+	require.NoError(t, err)
+	ociID := "ocione"
+
+	dockerfile := []byte(`
+FROM foo
+COPY <<EOF /bar
+bar
+EOF
+`)
+	dir, err = integration.Tmpdir(
+		t,
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+	require.NoError(t, err)
+
+	_, err = f.Solve(sb.Context(), c, client.SolveOpt{
+		LocalDirs: map[string]string{
+			dockerui.DefaultLocalNameDockerfile: dir,
+			dockerui.DefaultLocalNameContext:    dir,
+		},
+		FrontendAttrs: map[string]string{
+			"context:foo":       fmt.Sprintf("oci-layout:%s@sha256:%s", ociID, digest),
+			"attest:provenance": "mode=max",
+		},
+		OCIStores: map[string]content.Store{
+			ociID: store,
+		},
+		Exports: []client.ExportEntry{
+			{
+				Type: client.ExporterImage,
+				Attrs: map[string]string{
+					"name": target,
+					"push": "true",
+				},
+			},
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	desc, provider, err := contentutil.ProviderFromRef(target)
+	require.NoError(t, err)
+	imgs, err := testutil.ReadImages(sb.Context(), provider, desc)
+	require.NoError(t, err)
+	require.Equal(t, 2, len(imgs.Images))
+
+	expPlatform := platforms.Format(platforms.Normalize(platforms.DefaultSpec()))
+
+	img := imgs.Find(expPlatform)
+	require.NotNil(t, img)
+	require.Equal(t, []byte("foo\n"), img.Layers[0]["foo"].Data)
+	require.Equal(t, []byte("bar\n"), img.Layers[1]["bar"].Data)
+
+	att := imgs.FindAttestation(expPlatform)
+	type stmtT struct {
+		Predicate provenance.ProvenancePredicate `json:"predicate"`
+	}
+	var stmt stmtT
+	require.NoError(t, json.Unmarshal(att.LayersRaw[0], &stmt))
+	pred := stmt.Predicate
+
+	if isGateway {
+		require.Len(t, pred.Materials, 2)
+	} else {
+		require.Len(t, pred.Materials, 1)
+	}
+	var material *provenanceCommon.ProvenanceMaterial
+	for _, m := range pred.Materials {
+		if strings.Contains(m.URI, "/foo") {
+			require.Nil(t, material, pred.Materials)
+			material = &m
+		}
+	}
+	require.NotNil(t, material)
+	prefix, _, _ := strings.Cut(material.URI, "/")
+	require.Equal(t, "pkg:oci", prefix)
+	require.Equal(t, digest, material.Digest["sha256"])
+}
+
 func testNilProvenance(t *testing.T, sb integration.Sandbox) {
 	integration.CheckFeatureCompat(t, sb, integration.FeatureProvenance)
 	ctx := sb.Context()

frontend/dockerfile/dockerfile_test.go

@@ -161,6 +161,7 @@ var allTests = integration.TestFuncs(
 	testClientFrontendProvenance,
 	testClientLLBProvenance,
 	testSecretSSHProvenance,
+	testOCILayoutProvenance,
 	testNilProvenance,
 	testSBOMScannerArgs,
 	testMultiPlatformWarnings,

solver/llbsolver/provenance.go

@@ -140,6 +140,7 @@ func (b *provenanceBridge) ResolveImageConfig(ctx context.Context, ref string, o
 		Ref:      ref,
 		Platform: opt.Platform,
 		Digest:   dgst,
+		Local:    opt.ResolverType == llb.ResolverTypeOCILayout,
 	})
 	return dgst, config, nil
 }
@@ -322,10 +323,11 @@ func captureProvenance(ctx context.Context, res solver.CachedResultWithProvenanc
 				if err != nil {
 					return errors.Wrapf(err, "failed to parse OCI digest %s", pin)
 				}
-				c.AddLocalImage(provenance.ImageSource{
+				c.AddImage(provenance.ImageSource{
 					Ref:      s.Reference.String(),
 					Platform: s.Platform,
 					Digest:   dgst,
+					Local:    true,
 				})
 			default:
 				return errors.Errorf("unknown source identifier %T", id)

solver/llbsolver/provenance/capture.go

@@ -16,6 +16,7 @@ type ImageSource struct {
 	Ref      string
 	Platform *ocispecs.Platform
 	Digest   digest.Digest
+	Local    bool
 }
 
 type GitSource struct {
@@ -43,11 +44,10 @@ type SSH struct {
 }
 
 type Sources struct {
-	Images      []ImageSource
-	LocalImages []ImageSource
-	Git         []GitSource
-	HTTP        []HTTPSource
-	Local       []LocalSource
+	Images []ImageSource
+	Git    []GitSource
+	HTTP   []HTTPSource
+	Local  []LocalSource
 }
 
 type Capture struct {
@@ -67,9 +67,6 @@ func (c *Capture) Merge(c2 *Capture) error {
 	for _, i := range c2.Sources.Images {
 		c.AddImage(i)
 	}
-	for _, i := range c2.Sources.LocalImages {
-		c.AddLocalImage(i)
-	}
 	for _, l := range c2.Sources.Local {
 		c.AddLocal(l)
 	}
@@ -98,9 +95,6 @@ func (c *Capture) Sort() {
 	sort.Slice(c.Sources.Images, func(i, j int) bool {
 		return c.Sources.Images[i].Ref < c.Sources.Images[j].Ref
 	})
-	sort.Slice(c.Sources.LocalImages, func(i, j int) bool {
-		return c.Sources.LocalImages[i].Ref < c.Sources.LocalImages[j].Ref
-	})
 	sort.Slice(c.Sources.Local, func(i, j int) bool {
 		return c.Sources.Local[i].Name < c.Sources.Local[j].Name
 	})
@@ -151,7 +145,7 @@ func (c *Capture) OptimizeImageSources() error {
 
 func (c *Capture) AddImage(i ImageSource) {
 	for _, v := range c.Sources.Images {
-		if v.Ref == i.Ref {
+		if v.Ref == i.Ref && v.Local == i.Local {
 			if v.Platform == i.Platform {
 				return
 			}
@@ -165,22 +159,6 @@ func (c *Capture) AddImage(i ImageSource) {
 	c.Sources.Images = append(c.Sources.Images, i)
 }
 
-func (c *Capture) AddLocalImage(i ImageSource) {
-	for _, v := range c.Sources.LocalImages {
-		if v.Ref == i.Ref {
-			if v.Platform == i.Platform {
-				return
-			}
-			if v.Platform != nil && i.Platform != nil {
-				if v.Platform.Architecture == i.Platform.Architecture && v.Platform.OS == i.Platform.OS && v.Platform.Variant == i.Platform.Variant {
-					return
-				}
-			}
-		}
-	}
-	c.Sources.LocalImages = append(c.Sources.LocalImages, i)
-}
-
 func (c *Capture) AddLocal(l LocalSource) {
 	for _, v := range c.Sources.Local {
 		if v.Name == l.Name {

solver/llbsolver/provenance/predicate.go

@@ -56,11 +56,17 @@ type BuildKitMetadata struct {
 }
 
 func slsaMaterials(srcs Sources) ([]slsa.ProvenanceMaterial, error) {
-	count := len(srcs.Images) + len(srcs.Git) + len(srcs.HTTP) + len(srcs.LocalImages)
+	count := len(srcs.Images) + len(srcs.Git) + len(srcs.HTTP)
 	out := make([]slsa.ProvenanceMaterial, 0, count)
 
 	for _, s := range srcs.Images {
-		uri, err := purl.RefToPURL(s.Ref, s.Platform)
+		var uri string
+		var err error
+		if s.Local {
+			uri, err = purl.RefToPURL(packageurl.TypeOCI, s.Ref, s.Platform)
+		} else {
+			uri, err = purl.RefToPURL(packageurl.TypeDocker, s.Ref, s.Platform)
+		}
 		if err != nil {
 			return nil, err
 		}
@@ -93,26 +99,6 @@ func slsaMaterials(srcs Sources) ([]slsa.ProvenanceMaterial, error) {
 		})
 	}
 
-	for _, s := range srcs.LocalImages {
-		q := []packageurl.Qualifier{}
-		if s.Platform != nil {
-			q = append(q, packageurl.Qualifier{
-				Key:   "platform",
-				Value: platforms.Format(*s.Platform),
-			})
-		}
-		packageurl.NewPackageURL(packageurl.TypeOCI, "", s.Ref, "", q, "")
-
-		material := slsa.ProvenanceMaterial{
-			URI: s.Ref,
-		}
-		if s.Digest != "" {
-			material.Digest = slsa.DigestSet{
-				s.Digest.Algorithm().String(): s.Digest.Hex(),
-			}
-		}
-		out = append(out, material)
-	}
 	return out, nil
 }