Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add lockfile attestor #370

Merged
merged 2 commits into from
Feb 5, 2025
Merged

feat: Add lockfile attestor #370

merged 2 commits into from
Feb 5, 2025

Conversation

fkautz
Copy link
Contributor

@fkautz fkautz commented Oct 8, 2024

This commit introduces a new lockfiles attestor to capture and attest
the contents of common lockfiles in the project. The changes include:

  • Add new file attestation/lockfiles/lockfiles.go implementing the lockfiles attestor
  • Update imports.go to include the new lockfiles package

The lockfiles attestor captures contents of various lockfiles such as
Gemfile.lock, package-lock.json, yarn.lock, and others. It stores the
information in a slice of LockfileInfo structs, allowing for flexible
handling of multiple lockfiles.

This feature enhances the project's capability to track and verify
dependency information as part of the attestation process."

@fkautz fkautz force-pushed the lockfile-support branch 6 times, most recently from c4cffcc to 691e53e Compare October 8, 2024 04:49
jkjell
jkjell reviewed Oct 10, 2024
View reviewed changes
Copy link
Member

@jkjell jkjell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, looks great to me. Do we want to add the lockfiles found as subjects to the attestations?

colek42
colek42 previously approved these changes Jan 18, 2025
View reviewed changes
@fkautz
Copy link
Contributor Author

fkautz commented Jan 24, 2025

sample subject:

    {
      "name": "https://witness.dev/attestations/lockfiles/v0.1/file:go.sum",
      "digest": {
        "sha256": "0b6248e43fe5840cdda792292e069f8cf4ecd95ae8d8e5e8ef582b485bc4b1a9"
      }
    },

jkjell
jkjell previously approved these changes Jan 24, 2025
View reviewed changes
@fkautz
feat: Add lockfile attestor
4a30c24 
This commit introduces a new lockfiles attestor to capture and attest
the contents of common lockfiles in the project. The changes include:

- Add new file attestation/lockfiles/lockfiles.go implementing the lockfiles attestor
- Update imports.go to include the new lockfiles package

The lockfiles attestor captures contents of various lockfiles such as
Gemfile.lock, package-lock.json, yarn.lock, and others. It stores the
information in a slice of LockfileInfo structs, allowing for flexible
handling of multiple lockfiles.

This feature enhances the project's capability to track and verify
dependency information as part of the attestation process."

Signed-off-by: Frederick F. Kautz IV <[email protected]>
@colek42 colek42 self-assigned this Feb 5, 2025
@colek42 colek42 merged commit ac1aa1c into in-toto:main Feb 5, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colek42 colek42 colek42 approved these changes

@jkjell jkjell jkjell left review comments

Assignees

@colek42 colek42

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fkautz @jkjell @colek42