slsa icon indicating copy to clipboard operation
slsa copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Clarify 'dependencies complete' at L4

Open TomHennen opened this issue 2 years ago • 4 comments

There seems to be some confusion around if 'dependencies complete' means that the provenance lists all transitive dependencies.

My view is that I don't think it does, but others have different (sometimes subtlety different) thoughts on the matter.

Can we clarify what it means?

TomHennen avatar Mar 16 '22 21:03 TomHennen

For clarity's sake I think it'd be better use the term "all transitive dependencies" or similar. You could argue that you have a complete set of direct dependencies.

david-a-wheeler avatar Mar 16 '22 21:03 david-a-wheeler

I'd support the idea that it's "all dependencies, including transitive dependencies" and have the language make that clear. But there's room for differing views.

jspeed-meyers avatar Mar 17 '22 14:03 jspeed-meyers

I believe the problem comes down to ambiguity of the term "transitive."

Let's consider a concrete example, a Python-based Dockerfile build:

FROM python:3.8-slim-buster
RUN pip3 install numpy requests
# ...

There are three "direct" dependencies, which obviously must be included in the provenance:

However, the pip command will additionally fetch all transitive Python dependencies. These must be included in the provenance as well because they are fetched as part of the build:

  • pkg:pypi/certifi
  • pkg:pypi/charset-normalizer
  • pkg:pypi/idna
  • pkg:pypi/urllib3

However, the dependencies that went into the builds of the above artifacts should not be included in the provenance, such as:

  • The dependencies that went into building numpy, such as Cython. These artifacts did not go into the Dockerfile-based build, thus they should not be recorded.
  • The base image of the python docker image, namely pkg:oci/debian?tag=buster-slim. While technically this artifact was fetched as part of the build since it is one of the layers of the OCI image, the hash of the pkg:oci/python artifact covers all layers so we only list the top-level hash.

Each of these "transitive" dependencies should have their own provenance explaining what went into them.

MarkLodato avatar Mar 17 '22 14:03 MarkLodato

Note that the SLSA requirements now includes "Includes all transitive dependencies" at L4. That requirement should probably be part of whatever clarification we do as a part of this issue.

TomHennen avatar Sep 19 '22 19:09 TomHennen