fix(policies): fix policy evaluation for SBOMs (#1665)

Signed-off-by: Jose I. Paris <[email protected]>
chainloop-dev · Dec 16, 2024 · 4ba74d5 · 4ba74d5
1 parent 4b5c833
commit 4ba74d5
Show file tree

Hide file tree

Showing 3 changed files with 132,940 additions and 11 deletions.
diff --git a/pkg/attestation/crafter/api/attestation/v1/crafting_state.go b/pkg/attestation/crafter/api/attestation/v1/crafting_state.go
@@ -88,11 +88,14 @@ func (m *Attestation_Material) GetEvaluableContent(value string) ([]byte, error)
 	var rawMaterial []byte
 	var err error
 
-	// nolint: gocritic
-	switch {
-	case m.GetArtifact() != nil:
+	artifact := m.GetArtifact()
+	if artifact == nil && m.GetSbomArtifact() != nil {
+		artifact = m.GetSbomArtifact().GetArtifact()
+	}
+
+	if artifact != nil {
 		if m.InlineCas {
-			rawMaterial = m.GetArtifact().GetContent()
+			rawMaterial = artifact.GetContent()
 		} else if value == "" {
 			return nil, errors.New("artifact path required")
 		} else if m.MaterialType != v1.CraftingSchema_Material_HELM_CHART &&
@@ -103,12 +106,6 @@ func (m *Attestation_Material) GetEvaluableContent(value string) ([]byte, error)
 				return nil, fmt.Errorf("failed to read material content: %w", err)
 			}
 		}
-	case m.GetSbomArtifact() != nil:
-		if m.InlineCas {
-			rawMaterial = m.GetSbomArtifact().GetArtifact().GetContent()
-		} else if value == "" {
-			return nil, errors.New("sbom artifact path required")
-		}
 	}
 
 	// special case for ATTESTATION materials, the statement needs to be extracted from the dsse wrapper.
@@ -277,6 +274,8 @@ func (m *Attestation_Material) GetID() string {
 		return m.GetArtifact().GetId()
 	} else if m.GetContainerImage() != nil {
 		return m.GetContainerImage().GetId()
+	} else if m.GetSbomArtifact() != nil {
+		return m.GetSbomArtifact().GetArtifact().GetId()
 	}
 	return ""
 }

diff --git a/pkg/attestation/crafter/api/attestation/v1/crafting_state_test.go b/pkg/attestation/crafter/api/attestation/v1/crafting_state_test.go
@@ -136,6 +136,7 @@ func TestNormalizeOutput(t *testing.T) {
 func TestGetEvaluableContentWithMetadata(t *testing.T) {
 	cases := []struct {
 		name     string
+		filename string
 		material *Attestation_Material
 	}{
 		{
@@ -178,11 +179,28 @@ func TestGetEvaluableContentWithMetadata(t *testing.T) {
 				InlineCas: true,
 			},
 		},
+		{
+			name: "sbom artifact material not inline",
+			material: &Attestation_Material{
+				MaterialType: schemaapi.CraftingSchema_Material_SBOM_CYCLONEDX_JSON,
+				M: &Attestation_Material_SbomArtifact{
+					SbomArtifact: &Attestation_Material_SBOMArtifact{
+						Artifact: &Attestation_Material_Artifact{
+							Name: "name", Digest: "sha256:deadbeef", IsSubject: true, Content: []byte("{}"),
+						},
+						MainComponent: &Attestation_Material_SBOMArtifact_MainComponent{
+							Name: "the-main-component",
+						},
+					},
+				},
+			},
+			filename: "testdata/sbom.cyclonedx.json",
+		},
 	}
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			content, err := tc.material.GetEvaluableContent("")
+			content, err := tc.material.GetEvaluableContent(tc.filename)
 			assert.NoError(t, err)
 			decoder := json.NewDecoder(bytes.NewReader(content))