slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Update canonical JSON library

Open ianlewis opened this issue 1 year ago • 2 comments

@lukehinds pointed this out in the OpenSSF slack.

I don't know if this is the right channel, but wanted to discuss use of canonical-json , its what's used to canonicalise SLSA attestations (cjson) in the verifier code base. As someone developing an app that validates SLSA I elected to use the same library to parse out payload metadata. The thing is the project is hosted here: https://github.com/docker/go and it basically curls down the source files and un-tars them into the repo. The repo has not been updated in 8 years, so its pulling down 1.16 code and 1.16 is EOL. https://github.com/docker/go/blob/d30aec9fd63c35133f8f79c3412ad91a3b08be06/Makefile#L13-L18

ianlewis avatar Apr 10 '23 04:04 ianlewis

The go-securesystemslib/cjson library is supported by the in-toto/TUF teams and while it doesn't look to have a large test suite or handle all edge cases, it would work well enough for our purposes as we only care about canonicalizing a DSSE envelope.

https://github.com/slsa-framework/slsa-verifier/blob/b01cb9d69cb87adbd1491f55ff9e54b399ed560d/verifiers/internal/gha/rekor.go#L326

ianlewis avatar Apr 10 '23 04:04 ianlewis

go-securesystemslib/cjson is also used by cosign and intoto

  • https://pkg.go.dev/github.com/secure-systems-lab/go-securesystemslib/cjson?tab=importedby

ramonpetgrave64 avatar Jul 02 '24 21:07 ramonpetgrave64