-
Notifications
You must be signed in to change notification settings - Fork 53
feat(cli): explode archive materials in chainloop att add #3254
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Changes from all commits
Commits
Show all changes
23 commits
Select commit
Hold shift + click to select a range
ff8c6e6
docs: add archive explode implementation plan
javirln 620e63b
feat(cli): detect archive materials for att add explode path
javirln 2ef4e7f
feat(cli): walk archive entries with zip-bomb and traversal guards
javirln 1e2c797
fix(cli): reject absolute and traversal paths in archive walk
javirln c0f0ea6
feat(cli): add archive-native allowlist and entry name allocation
javirln 336a5ff
refactor(crafter): split material crafting from state persistence
javirln e7a5c3c
feat(crafter): add AddMaterialsFromArchive for atomic archive expansion
javirln 1c7d1c9
fix(crafter): roll back policy evaluations and name temp files by ent…
javirln 51e7c69
feat(cli): route att add to archive explode path
javirln 4df7fa0
feat(cli): add archive extraction guard flags and multi-material output
javirln 68a241a
test(crafter): cover archive explode behavior; regen CLI docs
javirln 9b476f5
fix(crafter): export ErrUnsafeEntry sentinel and assert it in archive…
javirln 776c271
fix(cli): correct archive detection for non-file values and tighten g…
javirln 4959609
fix(cli): address archive-explode code review findings
javirln 59a7e5d
fix(cli): address archive-explode review comments
javirln 80edf98
fix(crafter): treat ENOTDIR as a non-archive in detectByMagic
javirln fd25513
fix(crafter): derive archive entry basename with OS-independent seman…
javirln 4b655dd
feat(crafter): name exploded archive materials sequentially
javirln a80157e
feat(crafter): use 0-indexed sequential names for exploded materials
javirln 201e313
style(crafter): extract defaultMaterialName constant
javirln 2ab872e
test(crafter): rename test var shadowing builtin real
javirln 123f890
refactor(cli): simplify archive-explode output and routing
javirln f992ccb
feat(cli): limit archive explode to an SBOM/SARIF allowlist
javirln File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| // | ||
| // Copyright 2026 The Chainloop Authors. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package action | ||
|
|
||
| import ( | ||
| "archive/zip" | ||
| "os" | ||
| "path/filepath" | ||
| "testing" | ||
|
|
||
| "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/materials" | ||
| "github.com/stretchr/testify/assert" | ||
| "github.com/stretchr/testify/require" | ||
| ) | ||
|
|
||
| // writeTestZip creates a zip archive at dir/name containing a single file | ||
| // "entry.txt" and returns its path. | ||
| func writeTestZip(t *testing.T, dir, name string) string { | ||
| t.Helper() | ||
| path := filepath.Join(dir, name) | ||
| f, err := os.Create(path) | ||
| require.NoError(t, err) | ||
| defer f.Close() | ||
|
|
||
| w := zip.NewWriter(f) | ||
| entry, err := w.Create("entry.txt") | ||
| require.NoError(t, err) | ||
| _, err = entry.Write([]byte("hello")) | ||
| require.NoError(t, err) | ||
| require.NoError(t, w.Close()) | ||
| return path | ||
| } | ||
|
|
||
| func TestShouldExplode(t *testing.T) { | ||
| dir := t.TempDir() | ||
| zipPath := writeTestZip(t, dir, "s.zip") | ||
|
|
||
| // non-archive: a plain temp file with an unrecognised extension | ||
| plainPath := filepath.Join(dir, "plain.bin") | ||
| require.NoError(t, os.WriteFile(plainPath, []byte("not an archive"), 0600)) | ||
|
|
||
| tests := []struct { | ||
| name string | ||
| kind string | ||
| value string | ||
| wantFormat materials.ArchiveFormat | ||
| }{ | ||
| // A non-ArchiveNone format means the value will be exploded. Only | ||
| // explodable kinds (SBOM, SARIF) explode; everything else is recorded | ||
| // whole even when the value is an archive. | ||
| {"explodable SBOM + archive", "SBOM_CYCLONEDX_JSON", zipPath, materials.ArchiveZip}, | ||
| {"explodable SARIF + archive", "SARIF", zipPath, materials.ArchiveZip}, | ||
| {"non-explodable ARTIFACT + archive", "ARTIFACT", zipPath, materials.ArchiveNone}, | ||
| {"non-explodable EVIDENCE + archive", "EVIDENCE", zipPath, materials.ArchiveNone}, | ||
| {"archive-native ZAP + archive", "ZAP_DAST_ZIP", zipPath, materials.ArchiveNone}, | ||
| {"no kind", "", zipPath, materials.ArchiveNone}, | ||
| {"explodable kind + non-archive", "SBOM_CYCLONEDX_JSON", plainPath, materials.ArchiveNone}, | ||
| // Non-file values must never return an error — even for an explodable kind | ||
| // the value here is not a file path at all. | ||
| {"explodable kind STRING-like non-file value", "SARIF", "hello world", materials.ArchiveNone}, | ||
| } | ||
| for _, tc := range tests { | ||
| t.Run(tc.name, func(t *testing.T) { | ||
| format, err := shouldExplode(tc.kind, tc.value) | ||
| require.NoError(t, err) | ||
| assert.Equal(t, tc.wantFormat, format) | ||
| }) | ||
| } | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.