From a6214fbd3a720973b188aa246a025e275efb0a5b Mon Sep 17 00:00:00 2001 From: saso Date: Thu, 13 Apr 2023 21:30:18 +0900 Subject: [PATCH] feat: add the created-by annotation when putting the referrer (#6) --- README.md | 12 ++++++------ put.go | 28 ++++++++++++---------------- types.go | 2 ++ 3 files changed, 20 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 86cdb1c..a3fbef7 100644 --- a/README.md +++ b/README.md @@ -49,17 +49,17 @@ Referrers: MediaType: application/vnd.oci.image.manifest.v1+json ArtifactType: application/vnd.cyclonedx+json Annotations: - created: trivy + created-by: trivy org.opencontainers.artifact.created: 2023-04-11T19:21:29+09:00 org.opencontainers.artifact.description: CycloneDX JSON SBOM $ trivy referrer list localhost:5002/demo:app --format table -DIGEST TYPE ANNOTATIONS DESCRIPTION CREATED -5b0306d cyclonedx created=trivy CycloneDX JSON SBOM 22 hours ago -771989f spdx-json created=trivy SPDX JSON SBOM 22 hours ago -83542d1 sarif SARIF 18 hours ago -8b9f058 sarif SARIF 15 hours ago +DIGEST TYPE ANNOTATIONS DESCRIPTION CREATED +5b0306d cyclonedx created-by=trivy CycloneDX JSON SBOM 22 hours ago +771989f spdx-json created-by=trivy SPDX JSON SBOM 22 hours ago +83542d1 sarif created-by=trivy SARIF 18 hours ago +8b9f058 sarif created-by=trivy SARIF 15 hours ago ``` ### Getting the artifact diff --git a/put.go b/put.go index 5c326d5..6aec74b 100644 --- a/put.go +++ b/put.go @@ -73,6 +73,14 @@ func (r *referrer) Tag(img v1.Image) (name.Reference, error) { return tag, nil } +func newAnnotations(description string) map[string]string { + return map[string]string{ + annotationKeyDescription: description, + annotationKeyCreated: time.Now().Format(time.RFC3339), + customAnnotationKeyDescription: "trivy", + } +} + func putReferrer(r io.Reader, opts putOptions) error { ref, err := referrerFromReader(r, opts) if err != nil { @@ -169,10 +177,7 @@ func tryReferrerFromSBOM(r io.Reader, opts putOptions) (referrer, error) { } } - anns = map[string]string{ - annotationKeyDescription: "CycloneDX JSON SBOM", - annotationKeyCreated: time.Now().Format(time.RFC3339), - } + anns = newAnnotations("CycloneDX JSON SBOM") mediaType = mediaKeyCycloneDX case sbom.FormatSPDXJSON: @@ -188,10 +193,7 @@ func tryReferrerFromSBOM(r io.Reader, opts putOptions) (referrer, error) { } } - anns = map[string]string{ - annotationKeyDescription: "SPDX JSON SBOM", - annotationKeyCreated: time.Now().Format(time.RFC3339), - } + anns = newAnnotations("SPDX JSON SBOM") mediaType = mediaKeySPDX default: @@ -263,10 +265,7 @@ func tryReferrerFromSarif(r io.Reader, opts putOptions) (referrer, error) { } log.Logger.Infof("SARIF detected") - anns := map[string]string{ - annotationKeyDescription: "SARIF", - annotationKeyCreated: time.Now().Format(time.RFC3339), - } + anns := newAnnotations("SARIF") anns = lo.Assign(anns, opts.Annotations) return referrer{ @@ -308,10 +307,7 @@ func tryReferrerFromVulnerability(r io.Reader, opts putOptions) (referrer, error log.Logger.Infof("Cosign vulnerability data detected") - anns := map[string]string{ - annotationKeyDescription: "Vulnerability Scan Report", - annotationKeyCreated: time.Now().Format(time.RFC3339), - } + anns := newAnnotations("Cosign Vulnerability Data") anns = lo.Assign(anns, opts.Annotations) return referrer{ diff --git a/types.go b/types.go index 647b474..e78b6f2 100644 --- a/types.go +++ b/types.go @@ -7,6 +7,8 @@ const ( annotationKeyCreated = "org.opencontainers.artifact.created" annotationKeyDescription = "org.opencontainers.artifact.description" + customAnnotationKeyDescription = "created-by" + // Use a Media Type registered with IANA. // ref. https://github.com/opencontainers/image-spec/blob/dd7fd714f5406d39db5fd0602a0e6090929dc85e/artifact.md#artifact-manifest-property-descriptions // ref. https://www.iana.org/assignments/media-types/media-types.xhtml