This is a SLSA Provenance buildType that describes the execution of a Tanzu Application Catalog artifact build workflow.
"buildType": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-TAC-build-type.html"
This buildType
describes the execution of a Tanzu Application Catalog build pipeline.
Depending on the kind of the artifact, the externalParameters
, internalParameters
, and resolvedDependencies
may vary. The different schemas according to each artifact are:
Parameter | Type | Description |
---|---|---|
baseImage | string | The base image of the container image |
Parameter | Type | Description |
---|---|---|
buildCauses | array | The different events that triggered the build |
containerSources | object<resourceDescriptor> | Resource descriptor referencing the source files to build the container image |
The resolvedDependencies
SHOULD contain an entry identifying the digest of the base image used by the container image corresponding to the externalParameters.baseImage
.
Parameter | Type | Description |
---|---|---|
chartsRepository | object | information about the charts repository used as template |
chartsRepository.url | string | URL of the charts repository used as template |
Parameter | Type | Description |
---|---|---|
buildCauses | array | The different events that triggered the build |
The resolvedDependencies
SHOULD contain an entry identifying the exact commit of the charts repository corresponding to externalDependencies.chartsRepository.url
used as a template to build the helm chart.
The invocationId SHOULD be set to the UUID that unequivocally identifies the internal build run. With this UUID, the Tanzu Application Catalog team will be able to perform a deep analysis of the build process.
{
"_type": "https://in-toto.io/Statement/v1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"name": "apache",
"digest": {
"sha256": "3791e9051d289e9c656b268d63563f2e11ce7aec231e3fdb3c3cbad9ad35c094"
}
},
{
"name": "apache - linux/amd64",
"digest": {
"sha256": "08da6c45919a3f243f80ca71b72a3c0f4cd50aefb8706fb0f423f6d34487f59f"
}
},
{
"name": "apache - linux/arm64",
"digest": {
"sha256": "8fd02ffd3ac39c79f952a6191b15f3ae9a9feff261ec588509801957f26ea4b0"
}
}
],
"predicate": {
"buildDefinition": {
"buildType": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-TAC-build-type.html#v1",
"externalParameters": {
"baseImage": "bitnami/minideb:bullseye"
},
"internalParameters": {
"buildCauses": [
"apache updated to 2.4.58"
],
"containerSources": {
"digest": {
"sha256": "945839b0efacecb84eb4780acf45839e8a8e1485b9fc7de562e8279590469291"
},
"annotations": {
"filename": "apache-2.4.58-r25-debian-11-container.tar.gz"
}
}
},
"resolvedDependencies": [
{
"uri": "bitnami/minideb@sha256:daa7b912186b10ec7a1f4f5f26b29364bd5d7e068e140474c33e6baa31b5c66c",
"digest": {
"sha256": "daa7b912186b10ec7a1f4f5f26b29364bd5d7e068e140474c33e6baa31b5c66c"
},
"name": "container-base-image",
"annotations": {
"imageName": "minideb",
"imageRepository": "bitnami",
"imageTag": "bullseye"
}
}
]
},
"runDetails": {
"builder": {
"id": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-level3-compliance.html"
},
"metadata": {
"invocationID": "a2c7290c-6a39-4e1f-b64a-f2d0fc44445a",
"startedOn": "2024-03-21T13:45:29.768443Z",
"finishedOn": "2024-03-21T14:01:11.768443Z"
},
"byproducts": [
{
"digest": {
"sha256": "7221c56323e257ea339ea5d62e960f4b506d9418004a1ab9f2b3a2f89a6bcb35"
},
"name": "spdx-report",
"annotations": {
"filename": "spdx.json"
}
},
{
"digest": {
"sha256": "68e1c2ed236e1ebdeb397363bf9aea860cb0152cabaafdbcd62cc14cbcdc77cf"
},
"name": "test-results",
"annotations": {
"filename": "test-results.tar.gz"
}
},
{
"digest": {
"sha256": "19c2b85fbfe597694c32b7525f50cacdc05cb0643e04058cb69dba3d3acf2a73"
},
"name": "vulnerability-scan",
"annotations": {
"filename": "cve-trivy-scanner-output-linux-arm64.json",
"platform": {
"os": "linux",
"architecture": "arm64"
}
}
},
{
"digest": {
"sha256": "79c7b22c8f4660f48904c6e0a56e2f6aab873771835e04bd2bb5e6f41b91c43b"
},
"name": "vulnerability-scan",
"annotations": {
"filename": "cve-trivy-scanner-output-linux-amd64.json",
"platform": {
"os": "linux",
"architecture": "amd64"
}
}
},
{
"digest": {
"sha256": "c4480311da92a5772f47769e08cb9facfac5e1c5c68b37290dada5406aa7b240"
},
"name": "vulnerability-cvrf",
"annotations": {
"filename": "vulnerability-cvrf-report-linux-arm64.xml",
"platform": {
"os": "linux",
"architecture": "arm64"
}
}
},
{
"digest": {
"sha256": "4de551f3270597a20cd745abf57f71d926d7fb2386291e889c2e3e2d1c6ebc08"
},
"name": "vulnerability-cvrf",
"annotations": {
"filename": "vulnerability-cvrf-report-linux-amd64.xml",
"platform": {
"os": "linux",
"architecture": "amd64"
}
}
},
{
"digest": {
"sha256": "7fe758b9faa6d39e4926973b4fe59d8c3166cd24c59b6925873315e39c8101fd"
},
"name": "vulnerability-scan-summary",
"annotations": {
"filename": "cve-trivy-scanner-summary-linux-arm64.json",
"platform": {
"os": "linux",
"architecture": "arm64"
}
}
},
{
"digest": {
"sha256": "7fe758b9faa6d39e4926973b4fe59d8c3166cd24c59b6925873315e39c8101fd"
},
"name": "vulnerability-scan-summary",
"annotations": {
"filename": "cve-trivy-scanner-summary-linux-amd64.json",
"platform": {
"os": "linux",
"architecture": "amd64"
}
}
},
{
"digest": {
"sha256": "c04552901e1e712e84d57b6fb4a6c8f63dd5732671a735f29b0bf37ff1e1fe52"
},
"name": "antivirus-scan",
"annotations": {
"filename": "clamav-antivirus-scan-linux-arm64.log",
"platform": {
"os": "linux",
"architecture": "arm64"
}
}
},
{
"digest": {
"sha256": "f43dd50593b4f6c0166b9254943be7ee65f31c2ed9f90ddb90bb9405398edd17"
},
"name": "antivirus-scan",
"annotations": {
"filename": "clamav-antivirus-scan-linux-amd64.log",
"platform": {
"os": "linux",
"architecture": "amd64"
}
}
},
{
"digest": {
"sha256": "945839b0efacecb84eb4780acf45839e8a8e1485b9fc7de562e8279590469291"
},
"name": "source-container",
"annotations": {
"filename": "apache-2.4.58-r25-debian-11-container.tar.gz"
}
}
]
}
}
}
{
"_type": "https://in-toto.io/Statement/v1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"name": "zookeeper",
"digest": {
"sha256": "8ae68b04b29593639c9c49b7f5697ebda6a289c0d48ddc1212f64c2e5a65ab6f"
}
}
],
"predicate": {
"buildDefinition": {
"buildType": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-TAC-build-type.html#v1",
"externalParameters": {
"chartsRepository": {
"url": "https://github.com/bitnami/charts"
}
},
"internalParameters": {
"buildCauses": [
"Fixing CVE-2022-3715 affecting bash 5.1-6ubuntu1, fixed in version 5.1-6ubuntu1.1",
"There was an upstream update in the zookeeper@13.0.x Helm Chart (app version 3.9.2): https://github.com/bitnami/charts/tree/aba387ac701a867d41c09ab5871d075d3ff23851/bitnami/zookeeper"
]
},
"resolvedDependencies": [
{
"uri": "https://github.com/bitnami/charts",
"digest": {
"gitCommit": "46825f40ce83acfb6d8fb43f39304eac76154405"
},
"name": "bitnami/charts"
}
]
},
"runDetails": {
"builder": {
"id": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-level3-compliance.html"
},
"metadata": {
"invocationID": "a666ba84-2327-456f-b6e3-386c0d79d280",
"startedOn": "2024-03-21T16:24:08.706083Z",
"finishedOn": "2024-03-21T16:29:53.706083Z"
},
"byproducts": [
{
"digest": {
"sha256": "673bf76df31831889e60946179a97ee04b6b9fdcff64cc3e569d32f64983606b"
},
"name": "spdx-report",
"annotations": {
"filename": "spdx.json"
}
},
{
"digest": {
"sha256": "980cbcc88fae687575c4c996f00bed5b2ac860eb98b9830e32a98f84849a32f1"
},
"name": "test-results",
"annotations": {
"filename": "test-results.tar.gz"
}
}
]
}
}
}
Initial version