slsa-framework
Slsa-verifier v2.2.0 failing to install on Google Cloud Build image after Dependabot updates
We are installing slsa-verifier in our CI system for flutter/cocoon based on the documentation provided here. We have enabled Dependabot to update the go modules automatically.
Last week, Dependabot created two commits to update rekor and docker (Rekor, Docker). After attempting to deploy with these two commits, we ran into the following error in Cloud Build:
Step #1: /go/pkg/mod/github.com/slsa-framework/slsa-verifier/[email protected]/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go:8:2: no required module provides package github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1.0; to add it:
Step #1: go get github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1.0
When attempting to run go get github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1.0 on my own machine, within the cocoon repository, I am given the following error:
go: module github.com/in-toto/in-toto-golang@upgrade found (v0.9.0), but does not contain package github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1.0
I'm unsure what specific module is requiring this, but it does not seem that this package is able to be found during our installation. We have rolled back the dependencies and have been able to successfully install slsa-verifier once again, but we're concerned that future dependabot updates may cause this to fail again.
Please let me know if I can provide any more information! Our tooling directory containing slsa-verifier and required modules is available here: https://github.com/flutter/cocoon/tree/main/tooling
Related issue in flutter/cocoon: https://github.com/flutter/flutter/issues/126343
I think github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1.0 was renamed github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1 in https://github.com/in-toto/in-toto-golang/commit/8d135cb0fcd6c53e83f05c12a624e9199284a14f, but not sure why this suddenly broke the build
I think I know what's happening. Dependabot is trying to update the go.mod / go.sum, even though the slsa-verifier code / version was not updated - so the code still references the older (indirect) dependencies in the .go files https://github.com/flutter/cocoon/pull/2700/files#diff-810a552ce8a98a3886a26fdbe1fa9e2b34b85212522303926dbfb3ef469f7d4f
In essence, go.mod / go.sum then become out of sync with the code itself. We need a way to tell dependabot to only update direct dependencies (and the corresponding indirect dependencies), but not the indirect dependencies alone.
That sounds right! The package was removed from the final version of intoto released.
There should be some way of indicated direct only with the allow option with dependabot https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow but I have not checked the repo.
I think the root cause of the problem is that dependabot is unable to figure that we only want the CLI installed, not the library. So it treats the dependencies as if they were part of a new application, instead of treating them as "pinned" to those of the slsa-verifier.
Hmmmm maybe I see what you're saying with the library issue.
I think this would be fixed with the next version of slsa-verifier 2.3.0 right? This updates the library code to v0.8.0 of in-toto like the other deps (Rekor) they have.
It would fix it for now, but it may break again in the future :/ Would be good to have a more reliable solution.
Thank you both for your help with this! We can try something similar to what @asraa mentioned in regards to only looking to update slsa-verifier for now and see if it helps in preventing this in the future: https://github.com/flutter/cocoon/pull/2701
Please let us know if the suggestion works or not, and we'll update the README accordingly.
Thanks @asraa for the suggestion. I thought that direct was the default By default all dependencies that are explicitly defined in a manifest.
