provenance: fix possible empty digest access

If the digest for an ImageSource is the empty string, then calling
`Digest.Algorithm` will panic at runtime.

This scenario *can* happen if `ResolveImageConfig` returns an empty
digest, but correctly returns a config object. This doesn't occur in
buildkit directly, however, buildkit-in-moby implements a custom worker
which also performs image lookups on local images, in which case the
digest for the index may not be available (though this may be possible
with the containerd image store?).

Therefore, we shouldn't assume that the digest is always available in
buildkit, and should instead check that is valid before inserting it
into the digest set (which is already an optional map).

Signed-off-by: Justin Chadwell <[email protected]>

Author: jedevc

solver/llbsolver/provenance/predicate.go

@@ -64,12 +64,15 @@ func slsaMaterials(srcs Sources) ([]slsa.ProvenanceMaterial, error) {
 		if err != nil {
 			return nil, err
 		}
-		out = append(out, slsa.ProvenanceMaterial{
+		material := slsa.ProvenanceMaterial{
 			URI: uri,
-			Digest: slsa.DigestSet{
+		}
+		if s.Digest != "" {
+			material.Digest = slsa.DigestSet{
 				s.Digest.Algorithm().String(): s.Digest.Hex(),
-			},
-		})
+			}
+		}
+		out = append(out, material)
 	}
 
 	for _, s := range srcs.Git {
@@ -99,12 +102,16 @@ func slsaMaterials(srcs Sources) ([]slsa.ProvenanceMaterial, error) {
 			})
 		}
 		packageurl.NewPackageURL(packageurl.TypeOCI, "", s.Ref, "", q, "")
-		out = append(out, slsa.ProvenanceMaterial{
+
+		material := slsa.ProvenanceMaterial{
 			URI: s.Ref,
-			Digest: slsa.DigestSet{
+		}
+		if s.Digest != "" {
+			material.Digest = slsa.DigestSet{
 				s.Digest.Algorithm().String(): s.Digest.Hex(),
-			},
-		})
+			}
+		}
+		out = append(out, material)
 	}
 	return out, nil
 }