handle missing predicate type (#2743)

* handle missing predicate type Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update github.com/docker/cli package for vulnerabilities Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix go.mod vulnerabilities Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2021-11-22 10:49:21 -08:00 · 2021-11-22 10:49:21 -08:00 · 3c9430d2fc
commit 3c9430d2fc
parent 4c28540f83
1 changed files with 31 additions and 13 deletions
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@ -217,28 +217,32 @@ func makeAddDigestPatch(imageInfo *context.ImageInfo, digest string) ([]byte, er
 func (iv *imageVerifier) attestImage(repository, key string, imageInfo *context.ImageInfo, attestationChecks []*v1.Attestation) *response.RuleResponse {
 	image := imageInfo.String()
 	start := time.Now()
+
 	statements, err := cosign.FetchAttestations(image, key, repository, iv.logger)
 	if err != nil {
 		iv.logger.Info("failed to fetch attestations", "image", image, "error", err, "duration", time.Since(start).Seconds())
 		return ruleError(iv.rule, utils.ImageVerify, fmt.Sprintf("failed to fetch attestations for %s", image), err)
 	}

-	iv.logger.V(3).Info("received attested statements", "statements", statements)
+	iv.logger.V(4).Info("received attestations", "statements", statements)
+	statementsByPredicate := buildStatementMap(statements)

 	for _, ac := range attestationChecks {
-		for _, s := range statements {
-			predicateType := s["predicateType"]
-			if ac.PredicateType == predicateType {
-				val, err := iv.checkAttestations(ac, s, imageInfo)
-				if err != nil {
-					return ruleError(iv.rule, utils.ImageVerify, "error while checking attestation", err)
-				}
+		statements := statementsByPredicate[ac.PredicateType]
+		if statements == nil {
+			msg := fmt.Sprintf("predicate type %s not found", ac.PredicateType)
+			return ruleResponse(iv.rule, utils.ImageVerify, msg, response.RuleStatusFail)
+		}

-				if !val {
-					msg := fmt.Sprintf("attestation checks failed for %s and predicate %s", imageInfo.String(), predicateType)
-					iv.logger.Info(msg)
-					return ruleResponse(iv.rule, utils.ImageVerify, msg, response.RuleStatusFail)
-				}
+		for _, s := range statements {
+			val, err := iv.checkAttestations(ac, s, imageInfo)
+			if err != nil {
+				return ruleError(iv.rule, utils.ImageVerify, "failed to check attestation", err)
+			}
+
+			if !val {
+				msg := fmt.Sprintf("attestation checks failed for %s and predicate %s", imageInfo.String(), ac.PredicateType)
+				return ruleResponse(iv.rule, utils.ImageVerify, msg, response.RuleStatusFail)
 			}
 		}
 	}
@ -248,6 +252,20 @@ func (iv *imageVerifier) attestImage(repository, key string, imageInfo *context.
 	return ruleResponse(iv.rule, utils.ImageVerify, msg, response.RuleStatusPass)
 }

+func buildStatementMap(statements []map[string]interface{}) map[string][]map[string]interface{} {
+	results := map[string][]map[string]interface{}{}
+	for _, s := range statements {
+		predicateType := s["predicateType"].(string)
+		if results[predicateType] != nil {
+			results[predicateType] = append(results[predicateType], s)
+		} else {
+			results[predicateType] = []map[string]interface{}{s}
+		}
+	}
+
+	return results
+}
+
 func (iv *imageVerifier) checkAttestations(a *v1.Attestation, s map[string]interface{}, img *context.ImageInfo) (bool, error) {
 	if len(a.Conditions) == 0 {
 		return true, nil