Draft: Supply chain

Ref: https://gitlab.opencode.de/open-code/internal/pmo/security-scanner/-/issues/149#note_453052

Provenance Specs

https://slsa.dev/spec/v1.2/build-provenance#schema

{
    "sourceDefinition": {
        "changelog": #Changelog,
        "contributionGuideline": #ContributionGuideline,
        "codeReview": {
            // wir schauen uns den zu dem commit zugehörigen Merge Request an
            "mergeRequest": {
                uri: string,
            },
            "reviewedByMaintainers": int, // how many maintainers were assigned as reviewers
            "approvedByMaintainers": int, // how many maintainers approved (no self approve)
            "resetApprovalsOnCommit": boolean,
            "involvedMaintainers": {
                name: string,
                email: string,
            }[],
            "properties": any, // additional properties
        },
        "sourceControl": {
            "commit": {
                "uri": string,
                "hash": string,
                "createdAt": Timestamp,
            },
            "author": {
                "name": string,
                "email": string,
                "authentication": "password" | "2fa" | "token"
                "properties": any, // additional properties
            },
            "branch": string,
            "branchProtected": boolean,
            "defaultBranchProtected": boolean,
            "protectedBranchAccessLevel": int,
            "allowForcePush": boolean,
            "sourceControlSystem": "gitlab",
            "properties": any, // additional properties
        },
        "properties": any, // additional properties
    },
    "runDetails": {
        "builder": {
            "id": string,
            "builderDependencies": [ ...#ResourceDescriptor ],
            "version": { ...string },
        },
        "metadata": {
            "invocationId": string,
            "startedOn": #Timestamp,
            "finishedOn": #Timestamp,
        },
        "byproducts": [ ...#ResourceDescriptor ],
    }
}

#Timestamp: string  // <YYYY>-<MM>-<DD>T<hh>:<mm>:<ss>Z
#Changelog: string // ["CHANGELOG.md"]
#ContributionGuideline: string, // e.g. ["CONTRIBUTION.md"]

TODO

• Logik bauen, um für einen gegebenen Commit den zugehörigen Merge Request zu finden -> merge_commit_sha ("api../merge_requests?state=merged")
• resetApprovalsOnCommit -> always true for opencode (because it is on by default and opencode does not have a licencse to change the setting -> https://docs.gitlab.com/user/project/merge_requests/approvals/settings/#remove-all-approvals-when-commits-are-added-to-the-source-branch)
• authentication -> always 2fa for openCode (because it's required)

---

• CLI Komponente soll eigene JSON Struktur erzeugen (neuer/eigener Predicate Type) (sarif)
  • Checks wie Changelog, Contribution Guidelines, Code Review, Protected Branches, (https://slsa.dev/spec/v1.2/source-requirements)
  • CLI Komponente bekommt nichts übergeben (den Repo Link erkennt sie selbst)
  • Dieses JSON muss mit an das Image attestiert werden (nicht Aufgabe von uns - Job muss vor DevGuard laufen und DevGuard attestiert die Datei dann "automatisch" an den Container)
• Die Lieferketten Badge prüft u.a. auf die Existenz dieses neuen Predicate Types.

---

TODO

• migrate attestCmd to correct file
• fix bug (TODO) in GetContainerRegistryTags (gitlab.go)
• write tests for TestContainerAttestation
• Tests Tests Tests
• Check if we can refactor AdditionalInputData more (e.g. including repositoryURL and making params optional/nullable)
• Check why this pipeline is broken: https://gitlab.opencode.de/david/badge-api-test/-/jobs/1355744
• Badge API -> Check Releases Page -> Check "Images" and run the Maintenance Bagdge Checks for all images in there
  • Maintenance Badge is yet to be defined
  • In order to find the docker image for the latest Release we need to
    • find latest release https://gitlab.opencode.de/api/v4/projects/4871/releases/permalink/latest
    • get tag of latest release
    • list all container registries and tags and search for the tag (regex matching (v.1.0.0-abc)
• Migrate Changelog and Contribution Guideline Checks into regular checks that will run against the repo and check if CHANGELOG(.md) and CONTRIBUTION(.md) are present so that they can be part of the Sarif Report that will be part of the Maintenance Badge
• The attestation CLI command should run a list of (manually) predefined checks (basically the Maintenance Badge).
  • Remove custom attestation_ classes and just use the regular badge api checks.
  • The CI component should not accept an image anymore because it will run against the repo and identify the latest image by looking at the releases -> tags -> which has already been implemented in the container_attestation.go check

Research:

Option 1

• GitLab API does not give information about Changelog / Contribution Location (or filename) (only admins probably)
• GitLab API does give Infos about Releases and the Artifacts in it -> https://docs.gitlab.com/api/releases/#list-releases
  • However Links need to be http/https/ftp. Which does not work for Docker Images. (Therefore listing release page links is not an option)

Option 2

• In order to find the docker image for the latest Release we need to
  • find latest release https://gitlab.opencode.de/api/v4/projects/4871/releases/permalink/latest
  • extract commit sha
  • list all container registries and tags and filter for the revision
• Problem: e.g. for the Badge API the container short_revision and the short_sha of the commit do not match. In fact the container short_revision does not match any commit.