Tanzu Application Catalog Build Type

This is a SLSA Provenance buildType that describes the execution of a Tanzu Application Catalog artifact build workflow.

Description

"buildType": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-TAC-build-type.html"

This buildType describes the execution of a Tanzu Application Catalog build pipeline.

Build Definition

Depending on the kind of the artifact, the externalParameters, internalParameters, and resolvedDependencies may vary. The different schemas according to each artifact are:

Container images

External parameters

Parameter Type Description
baseImage string The base image of the container image

Internal parameters

Parameter Type Description
buildCauses array The different events that triggered the build
containerSources object<resourceDescriptor> Resource descriptor referencing the source files to build the container image

Resolved dependencies

The resolvedDependencies SHOULD contain an entry identifying the digest of the base image used by the container image corresponding to the externalParameters.baseImage.

Helm charts

External parameters

Parameter Type Description
chartsRepository object information about the charts repository used as template
chartsRepository.url string URL of the charts repository used as template

Internal parameters

Parameter Type Description
buildCauses array The different events that triggered the build

Resolved dependencies

The resolvedDependencies SHOULD contain an entry identifying the exact commit of the charts repository corresponding to externalDependencies.chartsRepository.url used as a template to build the helm chart.

Run details

Metadata

The invocationId SHOULD be set to the UUID that unequivocally identifies the internal build run. With this UUID, the Tanzu Application Catalog team will be able to perform a deep analysis of the build process.

Examples

SLSA Provenance for container image

{
  "_type": "https://in-toto.io/Statement/v1",
  "predicateType": "https://slsa.dev/provenance/v1",
  "subject": [
    {
      "name": "apache",
      "digest": {
        "sha256": "3791e9051d289e9c656b268d63563f2e11ce7aec231e3fdb3c3cbad9ad35c094"
      }
    },
    {
      "name": "apache - linux/amd64",
      "digest": {
        "sha256": "08da6c45919a3f243f80ca71b72a3c0f4cd50aefb8706fb0f423f6d34487f59f"
      }
    },
    {
      "name": "apache - linux/arm64",
      "digest": {
        "sha256": "8fd02ffd3ac39c79f952a6191b15f3ae9a9feff261ec588509801957f26ea4b0"
      }
    }
  ],
  "predicate": {
    "buildDefinition": {
      "buildType": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-TAC-build-type.html#v1",
      "externalParameters": {
        "baseImage": "bitnami/minideb:bullseye"
      },
      "internalParameters": {
        "buildCauses": [
          "apache updated to 2.4.58"
        ],
        "containerSources": {
          "digest": {
            "sha256": "945839b0efacecb84eb4780acf45839e8a8e1485b9fc7de562e8279590469291"
          },
          "annotations": {
            "filename": "apache-2.4.58-r25-debian-11-container.tar.gz"
          }
        }
      },
      "resolvedDependencies": [
        {
          "uri": "bitnami/minideb@sha256:daa7b912186b10ec7a1f4f5f26b29364bd5d7e068e140474c33e6baa31b5c66c",
          "digest": {
            "sha256": "daa7b912186b10ec7a1f4f5f26b29364bd5d7e068e140474c33e6baa31b5c66c"
          },
          "name": "container-base-image",
          "annotations": {
            "imageName": "minideb",
            "imageRepository": "bitnami",
            "imageTag": "bullseye"
          }
        }
      ]
    },
    "runDetails": {
      "builder": {
        "id": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-level3-compliance.html"
      },
      "metadata": {
        "invocationID": "a2c7290c-6a39-4e1f-b64a-f2d0fc44445a",
        "startedOn": "2024-03-21T13:45:29.768443Z",
        "finishedOn": "2024-03-21T14:01:11.768443Z"
      },
      "byproducts": [
        {
          "digest": {
            "sha256": "7221c56323e257ea339ea5d62e960f4b506d9418004a1ab9f2b3a2f89a6bcb35"
          },
          "name": "spdx-report",
          "annotations": {
            "filename": "spdx.json"
          }
        },
        {
          "digest": {
            "sha256": "68e1c2ed236e1ebdeb397363bf9aea860cb0152cabaafdbcd62cc14cbcdc77cf"
          },
          "name": "test-results",
          "annotations": {
            "filename": "test-results.tar.gz"
          }
        },
        {
          "digest": {
            "sha256": "19c2b85fbfe597694c32b7525f50cacdc05cb0643e04058cb69dba3d3acf2a73"
          },
          "name": "vulnerability-scan",
          "annotations": {
            "filename": "cve-trivy-scanner-output-linux-arm64.json",
            "platform": {
              "os": "linux",
              "architecture": "arm64"
            }
          }
        },
        {
          "digest": {
            "sha256": "79c7b22c8f4660f48904c6e0a56e2f6aab873771835e04bd2bb5e6f41b91c43b"
          },
          "name": "vulnerability-scan",
          "annotations": {
            "filename": "cve-trivy-scanner-output-linux-amd64.json",
            "platform": {
              "os": "linux",
              "architecture": "amd64"
            }
          }
        },
        {
          "digest": {
            "sha256": "c4480311da92a5772f47769e08cb9facfac5e1c5c68b37290dada5406aa7b240"
          },
          "name": "vulnerability-cvrf",
          "annotations": {
            "filename": "vulnerability-cvrf-report-linux-arm64.xml",
            "platform": {
              "os": "linux",
              "architecture": "arm64"
            }
          }
        },
        {
          "digest": {
            "sha256": "4de551f3270597a20cd745abf57f71d926d7fb2386291e889c2e3e2d1c6ebc08"
          },
          "name": "vulnerability-cvrf",
          "annotations": {
            "filename": "vulnerability-cvrf-report-linux-amd64.xml",
            "platform": {
              "os": "linux",
              "architecture": "amd64"
            }
          }
        },
        {
          "digest": {
            "sha256": "7fe758b9faa6d39e4926973b4fe59d8c3166cd24c59b6925873315e39c8101fd"
          },
          "name": "vulnerability-scan-summary",
          "annotations": {
            "filename": "cve-trivy-scanner-summary-linux-arm64.json",
            "platform": {
              "os": "linux",
              "architecture": "arm64"
            }
          }
        },
        {
          "digest": {
            "sha256": "7fe758b9faa6d39e4926973b4fe59d8c3166cd24c59b6925873315e39c8101fd"
          },
          "name": "vulnerability-scan-summary",
          "annotations": {
            "filename": "cve-trivy-scanner-summary-linux-amd64.json",
            "platform": {
              "os": "linux",
              "architecture": "amd64"
            }
          }
        },
        {
          "digest": {
            "sha256": "c04552901e1e712e84d57b6fb4a6c8f63dd5732671a735f29b0bf37ff1e1fe52"
          },
          "name": "antivirus-scan",
          "annotations": {
            "filename": "clamav-antivirus-scan-linux-arm64.log",
            "platform": {
              "os": "linux",
              "architecture": "arm64"
            }
          }
        },
        {
          "digest": {
            "sha256": "f43dd50593b4f6c0166b9254943be7ee65f31c2ed9f90ddb90bb9405398edd17"
          },
          "name": "antivirus-scan",
          "annotations": {
            "filename": "clamav-antivirus-scan-linux-amd64.log",
            "platform": {
              "os": "linux",
              "architecture": "amd64"
            }
          }
        },
        {
          "digest": {
            "sha256": "945839b0efacecb84eb4780acf45839e8a8e1485b9fc7de562e8279590469291"
          },
          "name": "source-container",
          "annotations": {
            "filename": "apache-2.4.58-r25-debian-11-container.tar.gz"
          }
        }
      ]
    }
  }
}

SLSA Provenance for helm chart

{
  "_type": "https://in-toto.io/Statement/v1",
  "predicateType": "https://slsa.dev/provenance/v1",
  "subject": [
    {
      "name": "zookeeper",
      "digest": {
        "sha256": "8ae68b04b29593639c9c49b7f5697ebda6a289c0d48ddc1212f64c2e5a65ab6f"
      }
    }
  ],
  "predicate": {
    "buildDefinition": {
      "buildType": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-TAC-build-type.html#v1",
      "externalParameters": {
        "chartsRepository": {
          "url": "https://github.com/bitnami/charts"
        }
      },
      "internalParameters": {
        "buildCauses": [
          "Fixing CVE-2022-3715 affecting bash 5.1-6ubuntu1, fixed in version 5.1-6ubuntu1.1",
          "There was an upstream update in the zookeeper@13.0.x Helm Chart (app version 3.9.2): https://github.com/bitnami/charts/tree/aba387ac701a867d41c09ab5871d075d3ff23851/bitnami/zookeeper"
        ]
      },
      "resolvedDependencies": [
        {
          "uri": "https://github.com/bitnami/charts",
          "digest": {
            "gitCommit": "46825f40ce83acfb6d8fb43f39304eac76154405"
          },
          "name": "bitnami/charts"
        }
      ]
    },
    "runDetails": {
      "builder": {
        "id": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-level3-compliance.html"
      },
      "metadata": {
        "invocationID": "a666ba84-2327-456f-b6e3-386c0d79d280",
        "startedOn": "2024-03-21T16:24:08.706083Z",
        "finishedOn": "2024-03-21T16:29:53.706083Z"
      },
      "byproducts": [
        {
          "digest": {
            "sha256": "673bf76df31831889e60946179a97ee04b6b9fdcff64cc3e569d32f64983606b"
          },
          "name": "spdx-report",
          "annotations": {
            "filename": "spdx.json"
          }
        },
        {
          "digest": {
            "sha256": "980cbcc88fae687575c4c996f00bed5b2ac860eb98b9830e32a98f84849a32f1"
          },
          "name": "test-results",
          "annotations": {
            "filename": "test-results.tar.gz"
          }
        }
      ]
    }
  }
}

Version history

v1

Initial version

check-circle-line exclamation-circle-line close-line
Scroll to top icon