feat: add VSA (Verification Summary Attestation) validation command #2928
Conversation
joejstuart
force-pushed
the
vsa-commit-split
branch
from
447d727 to
a4edc3b
Compare
|
This is a larger PR, but the commits are broken out pretty well to help review. |
|
Setting this to draft to merge this first - #2933 |
joejstuart
force-pushed
the
vsa-commit-split
branch
2 times, most recently
from
a81b210 to
82b6578
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } | ||
|
|
||
| // Safe capacity calculation with overflow protection | ||
| capacity := componentCount * 2 |
Check failure
Code scanning / CodeQL
Size computation for allocation may overflow High
| totalRules = math.MaxInt / 4 | ||
| } else { | ||
| // Safe to add - check for overflow | ||
| totalRules = successes + violations + warnings |
Check failure
Code scanning / CodeQL
Size computation for allocation may overflow High
| totalRules = math.MaxInt / 4 | ||
| } else { | ||
| // Safe to add - check for overflow | ||
| totalRules = successes + violations + warnings |
Check failure
Code scanning / CodeQL
Size computation for allocation may overflow High
| "github.com/stretchr/testify/require" | ||
| ) | ||
|
|
||
| func TestFileVSADataRetriever(t *testing.T) { |
There was a problem hiding this comment.
Test functions in this file covered several functions from different files. These tests are grounped by functionality which is all VSA data retrieval related tests.
Summary of Files Covered:
internal/validate/vsa/file_retriever.go - File-based VSA data retrieval
internal/validate/vsa/rekor_retriever.go - Rekor-based VSA data retrieval
internal/validate/vsa/types.go - Type definitions and data structures
internal/validate/vsa/validation.go - Interface definitions
- TestFileVSADataRetriever
File: internal/validate/vsa/file_retriever.go
Functions tested:
NewFileVSADataRetriever(fs afero.Fs, vsaPath string) *FileVSADataRetriever
RetrieveVSA(ctx context.Context, imageDigest string) (*ssldsse.Envelope, error) (method on FileVSADataRetriever)
- TestRekorVSADataRetriever
File: internal/validate/vsa/rekor_retriever.go
Functions tested:
NewRekorVSADataRetriever(opts RetrievalOptions, imageDigest string) (*RekorVSADataRetriever, error)
- TestVSADataRetrieverInterface
File: internal/validate/vsa/validation.go
Interface tested:
VSADataRetriever interface
Ensures both FileVSADataRetriever and RekorVSADataRetriever implement this interface
- TestRetrievalOptions
File: internal/validate/vsa/types.go
Functions tested:
DefaultRetrievalOptions() RetrievalOptions
Tests the RetrievalOptions struct
- TestDSSEEnvelope
File: internal/validate/vsa/types.go
Types tested:
DSSEEnvelope struct
Tests JSON marshaling/unmarshaling of DSSE envelope structure
- TestSignature
File: internal/validate/vsa/types.go
Types tested:
Signature struct
Tests JSON marshaling/unmarshaling of signature structure
- TestDualEntryPair
File: internal/validate/vsa/types.go
Types tested:
DualEntryPair struct (lines 58-62)
Tests the structure used by Rekor for handling paired entries
| } | ||
| } | ||
|
|
||
| func (m *MockPolicyResolver) GetRequiredRules(ctx context.Context, imageDigest string) (map[string]bool, error) { |
There was a problem hiding this comment.
The validator_test.go file comprehensively tests the VSA Rule Validation System
Summary of Files Covered:
internal/validate/vsa/types.go - Main VSA rule validation implementation
internal/validate/vsa/validation.go - Policy resolver adapter implementation
internal/validate/vsa/validator_test.go - Test file itself (contains mock implementations and test helpers)
- TestEvaluatorPolicyResolver
File: internal/validate/vsa/validation.go
Functions tested:
NewPolicyResolver(policyResolver interface{}, availableRules evaluator.PolicyRules) PolicyResolver
GetRequiredRules(ctx context.Context, imageDigest string) (map[string]bool, error) (method on policyResolverAdapter)
- TestVSARuleValidatorImpl_ValidateVSARules (Main comprehensive test)
File: internal/validate/vsa/types.go
Functions tested:
NewVSARuleValidator() VSARuleValidator
ValidateVSARules(ctx context.Context, vsaRecords []VSARecord, policyResolver PolicyResolver, imageDigest string) (*ValidationResult, error)
extractRuleResultsFromVSA(record VSARecord) (map[string]RuleResult, error)
convertEvaluatorResultToRuleResult(result map[string]interface{}, status, componentImage string) RuleResult
- TestVSARuleValidatorImpl_ExtractRuleID
File: internal/validate/vsa/types.go
Functions tested:
extractRuleID(result evaluator.Result) string
- TestVSARuleValidatorImpl_ExtractPackageFromRuleID
File: internal/validate/vsa/types.go
Functions tested:
extractPackageFromRuleID(ruleID string) string
Mock/Test Helper Functions:
-
NewMockPolicyResolver (Test helper)
File: internal/validate/vsa/validator_test.go
Purpose: Creates mock policy resolver for testing -
MockPolicyResolver.GetRequiredRules (Test helper)
File: internal/validate/vsa/validator_test.go
Purpose: Mock implementation of PolicyResolver interface -
MockExistingPolicyResolver (Test helper)
File: internal/validate/vsa/validator_test.go
Purpose: Mock implementation of the existing evaluator.PolicyResolver interface
Helper Functions for Test Data: -
createMockVSARecord (Test helper)
File: internal/validate/vsa/validator_test.go
Purpose: Creates mock VSA records for testing -
createRealisticVSARecord (Test helper)
File: internal/validate/vsa/validator_test.go
Purpose: Creates realistic VSA records with real-world data -
createRealisticVSARecordWithWarnings (Test helper)
File: internal/validate/vsa/validator_test.go
Purpose: Creates VSA records with warning scenarios
- Add VSARuleValidator interface and implementation - Add ValidationResult, MissingRule, FailingRule types - Add PolicyResolver interface for rule resolution - Add comprehensive validation tests with realistic scenarios - Establish foundation for VSA validation functionality
- Add FileVSADataRetriever for reading VSA from files - Add RekorVSADataRetriever for fetching VSA from Rekor - Add VSADataRetriever interface and implementations - Add comprehensive tests for data retrieval
- Add rule discovery functionality for policy resolution - Enhance conftest evaluator with VSA-specific metadata - Improve filtering capabilities for VSA validation - Add comprehensive tests for rule discovery
- Enhance input processing for VSA data - Add VSA-specific report handling - Update report tests for VSA functionality
- Add 'ec validate vsa' command for VSA validation - Support validation from files and Rekor - Integrate with existing validate command structure
- Add comprehensive VSA validation documentation - Update CLI navigation for new command - Update integration tests for VSA functionality
- Update go.mod and go.sum with VSA dependencies - Update development configuration files
- Add comprehensive VSA data types and structures - Define interfaces for VSA validation and retrieval - Establish type safety for VSA operations
- Add comprehensive tests for VSA data retrieval - Test file and Rekor retrieval scenarios - Add mock implementations for testing
- Refactor VSA code organization - Improve error handling and validation - Clean up implementation details
- use retry logic with Rekor - default to 4 workers
joejstuart
force-pushed
the
vsa-commit-split
branch
from
6d9e6f2 to
b6031a9
Compare
2 participants
The ec validate vsa command enables validation of Verification Summary Attestations (VSAs) that contain policy evaluation results for container images. This feature allows users to verify that images meet enterprise contract requirements by validating pre-computed attestation data.