STRLCPY/syft

■ ■ ■ ■ ■ ■ ■

cmd/syft/cli/attest/attest.go

		skipped 96 lines
97	97		return sBytes, nil
98	98		}
99	99
	100	+	//nolint:funlen
100	101		func execWorker(app *config.Application, si source.Input, writer sbom.Writer) <-chan error {
101	102		errs := make(chan error)
102	103		go func() {
		skipped 28 lines
131	132		}
132	133
133	134		args := []string{"attest", si.UserInput, "--type", "custom", "--predicate", f.Name()}
	135	+	if app.Attest.Key != "" {
	136	+	args = append(args, "--key", app.Attest.Key)
	137	+	}
	138	+
134	139		execCmd := exec.Command(cmd, args...)
135	140		execCmd.Env = os.Environ()
136		-	execCmd.Env = append(execCmd.Env, "COSIGN_EXPERIMENTAL=1")
	141	+	if app.Attest.Key != "" {
	142	+	execCmd.Env = append(execCmd.Env, fmt.Sprintf("COSIGN_PASSWORD=%s", app.Attest.Password))
	143	+	} else {
	144	+	// no key provided, use cosign's keyless mode
	145	+	execCmd.Env = append(execCmd.Env, "COSIGN_EXPERIMENTAL=1")
	146	+	}
137	147
138	148		// bus adapter for ui to hook into stdout via an os pipe
139	149		r, w, err := os.Pipe()
		skipped 89 lines

■ ■ ■ ■ ■ ■

cmd/syft/cli/attest.go

		skipped 19 lines
20	20		attestHelp = attestExample + attestSchemeHelp
21	21		)
22	22
23		-	//nolint:dupl
24		-	func Attest(v viper.Viper, app config.Application, ro options.RootOptions, po options.PackagesOptions) *cobra.Command {
	23	+	func Attest(v viper.Viper, app config.Application, ro options.RootOptions, po options.PackagesOptions, ao options.AttestOptions) cobra.Command {
25	24		cmd := &cobra.Command{
26	25		Use: "attest --output [FORMAT] <IMAGE>",
27	26		Short: "Generate an SBOM as an attestation for the given [SOURCE] container image",
		skipped 22 lines
50	49		},
51	50		}
52	51
53		-	// syft attest is an enhancment of the packages command, so it should have the same flags
	52	+	// syft attest is an enhancement of the packages command, so it should have the same flags
54	53		err := po.AddFlags(cmd, v)
	54	+	if err != nil {
	55	+	log.Fatal(err)
	56	+	}
	57	+
	58	+	// syft attest has its own options not included as part of the packages command
	59	+	err = ao.AddFlags(cmd, v)
55	60		if err != nil {
56	61		log.Fatal(err)
57	62		}
		skipped 4 lines

■ ■ ■ ■ ■ ■

cmd/syft/cli/commands.go

		skipped 44 lines
45	45		// we also need the command to have information about the `root` options because of this alias
46	46		ro := &options.RootOptions{}
47	47		po := &options.PackagesOptions{}
	48	+	ao := &options.AttestOptions{}
48	49		packagesCmd := Packages(v, app, ro, po)
49	50
50	51		// root options are also passed to the attestCmd so that a user provided config location can be discovered
51	52		poweruserCmd := PowerUser(v, app, ro)
52	53		convertCmd := Convert(v, app, ro, po)
53		-	attestCmd := Attest(v, app, ro, po)
	54	+	attestCmd := Attest(v, app, ro, po, ao)
54	55
55	56		// rootCmd is currently an alias for the packages command
56	57		rootCmd := &cobra.Command{
		skipped 110 lines

■ ■ ■ ■ ■ ■

cmd/syft/cli/options/attest.go

1	+	package options
2	+
3	+	import (
4	+	"github.com/spf13/cobra"
5	+	"github.com/spf13/pflag"
6	+	"github.com/spf13/viper"
7	+	)
8	+
9	+	type AttestOptions struct {
10	+	Key string
11	+	}
12	+
13	+	var _ Interface = (*AttestOptions)(nil)
14	+
15	+	func (o AttestOptions) AddFlags(cmd cobra.Command, v viper.Viper) error {
16	+	cmd.Flags().StringVarP(&o.Key, "key", "k", "", "the key to use for the attestation")
17	+	return bindAttestConfigOptions(cmd.Flags(), v)
18	+	}
19	+
20	+	func bindAttestConfigOptions(flags pflag.FlagSet, v viper.Viper) error {
21	+	if err := v.BindPFlag("attest.key", flags.Lookup("key")); err != nil {
22	+	return err
23	+	}
24	+	return nil
25	+	}
26	+

■ ■ ■ ■ ■ ■

internal/config/application.go

		skipped 46 lines
47	47		Log logging `yaml:"log" json:"log" mapstructure:"log"` // all logging-related options
48	48		Catalogers []string `yaml:"catalogers" json:"catalogers" mapstructure:"catalogers"`
49	49		Package pkg `yaml:"package" json:"package" mapstructure:"package"`
	50	+	Attest attest `yaml:"attest" json:"attest" mapstructure:"attest"`
50	51		FileMetadata FileMetadata `yaml:"file-metadata" json:"file-metadata" mapstructure:"file-metadata"`
51	52		FileClassification fileClassification `yaml:"file-classification" json:"file-classification" mapstructure:"file-classification"`
52	53		FileContents fileContents `yaml:"file-contents" json:"file-contents" mapstructure:"file-contents"`
		skipped 219 lines

■ ■ ■ ■ ■ ■

internal/config/attest.go

1	+	package config
2	+
3	+	import "github.com/spf13/viper"
4	+
5	+	type attest struct {
6	+	Key string `yaml:"key" json:"key" mapstructure:"key"`
7	+	Password string `yaml:"password" json:"password" mapstructure:"password"`
8	+	}
9	+
10	+	func (cfg attest) loadDefaultValues(v *viper.Viper) {
11	+	v.SetDefault("attest.key", "")
12	+	v.SetDefault("attest.password", "")
13	+	}
14	+

■ ■ ■ ■ ■ ■

ui/event_handlers.go

		skipped 617 lines
618	618		text := s.Text()
619	619		if strings.Contains(text, "tlog entry created with index") {
620	620		tlogEntry = text
	621	+	} else {
	622	+	// no tlog entry create so user used personal PKI
	623	+	tlogEntry = "signed attestation using provided key"
621	624		}
622	625		_, err = line.Write([]byte(fmt.Sprintf(" %s %s", auxInfoFormat.Sprintf("░░"), text)))
623	626		if err != nil {
		skipped 25 lines