From 8645b1e4385cf42dfa2db937f4b48d1039f267e6 Mon Sep 17 00:00:00 2001
From: Ilya Dmitrichenko <errordeveloper@gmail.com>
Date: Thu, 28 Sep 2023 07:21:38 +0100
Subject: [PATCH] Add attestation for replace images

---
 attest/manifest/images.go             | 21 ++++++++++++++++++++-
 manifest/imagescanner/imagescanner.go |  1 +
 tape/app/package.go                   | 11 +++++++++++
 3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/attest/manifest/images.go b/attest/manifest/images.go
index c4b30bd..f992465 100644
--- a/attest/manifest/images.go
+++ b/attest/manifest/images.go
@@ -26,6 +26,10 @@ type ResolvedImageRef struct {
 	attestTypes.GenericStatement[ImageRefenceWithLocation]
 }
 
+type ReplacedImageRef struct {
+	attestTypes.GenericStatement[ImageRefenceWithLocation]
+}
+
 type ImageRefenceWithLocation struct {
 	Reference string  `json:"reference"`
 	Line      int     `json:"line"`
@@ -34,7 +38,6 @@ type ImageRefenceWithLocation struct {
 }
 
 // TODO:
-// - replaced
 // - related tags (just the tags)
 // - copy inline atteststations, and reference them
 // - copy sigstore attestations, and reference them
@@ -56,6 +59,22 @@ func MakeOriginalImageRefStatements(images *manifestTypes.ImageList) attestTypes
 	return statements
 }
 
+func MakeReplacedImageRefStatements(images *manifestTypes.ImageList) attestTypes.Statements {
+	statements := attestTypes.Statements{}
+	forEachImage(images, func(subject attestTypes.Subject, ref ImageRefenceWithLocation) {
+		statements = append(statements, &ReplacedImageRef{
+			attestTypes.MakeStatement(
+				ReplacedImageRefPredicateType,
+				struct {
+					ImageRefenceWithLocation `json:"replacedImageReference"`
+				}{ref},
+				subject,
+			),
+		})
+	})
+	return statements
+}
+
 func MakeResovedImageRefStatements(images *manifestTypes.ImageList) attestTypes.Statements {
 	statements := attestTypes.Statements{}
 	forEachImage(images, func(subject attestTypes.Subject, ref ImageRefenceWithLocation) {
diff --git a/manifest/imagescanner/imagescanner.go b/manifest/imagescanner/imagescanner.go
index 2a0c7db..0da4e60 100644
--- a/manifest/imagescanner/imagescanner.go
+++ b/manifest/imagescanner/imagescanner.go
@@ -107,4 +107,5 @@ func (s *DefaultImageScanner) GetImages() *types.ImageList {
 
 func (s *DefaultImageScanner) Reset() {
 	s.trackers = []*Tracker{}
+	s.attestor = nil
 }
diff --git a/tape/app/package.go b/tape/app/package.go
index cdccdcc..9b3e7c6 100644
--- a/tape/app/package.go
+++ b/tape/app/package.go
@@ -156,6 +156,17 @@ func (c *TapePackageCommand) Execute(args []string) error {
 		return fmt.Errorf("failed to update manifest files: %w", err)
 	}
 
+	scanner.Reset()
+	if err := scanner.Scan(loader.RelPaths()); err != nil {
+		return fmt.Errorf("failed to scan updated manifest files: %w", err)
+	}
+	replacedImages := scanner.GetImages()
+	replacedImages.Dedup()
+
+	if err := attreg.AssociateStatements(manifest.MakeReplacedImageRefStatements(replacedImages)...); err != nil {
+		return err
+	}
+
 	c.tape.log.DebugFn(func() []interface{} {
 		buf := bytes.NewBuffer(nil)
 		if err := attreg.EncodeAllAttestations(base64.NewEncoder(base64.StdEncoding, buf)); err != nil {