Skip to content

feat(crafter): support multiple tools in chainloop metadata #2481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(crafter): support multiple tools in chainloop metadata #2481

wants to merge 5 commits into from
+187 −21

Conversation

@Piskoo
Copy link
Collaborator

@Piskoo Piskoo commented Oct 24, 2025
edited
Loading

This PR adds support for multiple tools extraction to metadata, while maintaining backwards compatibility.

Example

# legacy keys (first found tool)
chainloop.material.tool.name: Hub
chainloop.material.tool.version: 2025.4.2
# new key (all found tools)
chainloop.material.tools: [
  "Hub@2025.4.2",
  "cyclonedx-core-java@5.0.5"
]

Piskoo added 3 commits October 24, 2025 12:58
@Piskoo
support multiple tools for cdx
3e4e4b6 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo
add support for spdx
e0a81b0 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo
missing test file
483c2d3 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo marked this pull request as ready for review October 24, 2025 14:11
@migmartri
Copy link
Member

migmartri commented Oct 24, 2025
edited
Loading

I am not a fan of keys with dynamic namespacing, it makes it very hard to consume, but @jiparis might have a different opinion.

I'd rather to have smth like

chainloop.material.tools: ["Hub@2025.4.2", "baz@deadbeed"]

Piskoo added 2 commits October 27, 2025 13:10
@Piskoo
use array for versions
ff320da 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo
lint
29aa93e 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
migmartri
migmartri reviewed Oct 27, 2025
View reviewed changes
pkg/attestation/crafter/materials/cyclonedxjson.go
m.Annotations[AnnotationToolNameKey] = meta.Tools[0].Name
m.Annotations[AnnotationToolVersionKey] = meta.Tools[0].Version
// Extract all tools and set annotations
var tools []Tool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so even if we have one tool, it will use also the new annotation correct?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, example:

WRN API contacted in insecure mode
INF uploading sbom.cyclonedx-1.5.json - sha256:5ca3508f02893b0419b266927f66c7b9dd8b11dbea7faf7cdb9169df8f69d8e3
INF material added to attestation
┌─────────────┬─────────────────────────────────────────────────────────────────────────┐
│ Name        │ skynet-sbom                                                             │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Type        │ SBOM_CYCLONEDX_JSON                                                     │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Required    │ No                                                                      │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Value       │ sbom.cyclonedx-1.5.json                                                 │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Digest      │ sha256:5ca3508f02893b0419b266927f66c7b9dd8b11dbea7faf7cdb9169df8f69d8e3 │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Annotations │ ------                                                                  │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│             │ chainloop.material.tools: ["syft@0.101.1"]                              │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│             │ chainloop.material.tool.name: syft                                      │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│             │ chainloop.material.tool.version: 0.101.1                                │
└─────────────┴─────────────────────────────────────────────────────────────────────────┘

migmartri
migmartri approved these changes Oct 27, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, let's check with @jiparis

pkg/attestation/crafter/materials/spdxjson_test.go
wantDigest: "sha256:fe2636fb6c698a29a315278b762b2000efd5959afe776ee4f79f1ed523365a33",
wantFilename: "sbom-spdx.json",
annotations: map[string]string{
"chainloop.material.tool.name": "syft",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, this one, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@jiparis jiparis Awaiting requested review from jiparis

@javirln javirln Awaiting requested review from javirln

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Piskoo @migmartri