From b2535b90147bb3332da5d81eecd881dc9939f276 Mon Sep 17 00:00:00 2001 From: Susan Shi Date: Mon, 15 Jul 2024 11:44:06 +1000 Subject: [PATCH] fix: validate plugin version for ratify cli (#1604) Signed-off-by: Susan Shi --- pkg/verifier/factory/factory.go | 6 +++- pkg/verifier/factory/factory_test.go | 5 +-- test/bats/cli-test.bats | 4 +++ .../tests/config/sbom_version_mismatch.json | 31 +++++++++++++++++++ 4 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 test/bats/tests/config/sbom_version_mismatch.json diff --git a/pkg/verifier/factory/factory.go b/pkg/verifier/factory/factory.go index eb3bedabf..a23bdcfde 100644 --- a/pkg/verifier/factory/factory.go +++ b/pkg/verifier/factory/factory.go @@ -97,7 +97,11 @@ func CreateVerifierFromConfig(verifierConfig config.VerifierConfig, configVersio return nil, re.ErrorCodePluginNotFound.NewError(re.Verifier, "", re.EmptyLink, err, "plugin not found", re.HideStackTrace) } - return plugin.NewVerifier(configVersion, verifierConfig, pluginBinDir) + pluginVersion := configVersion + if value, ok := verifierConfig[types.Version]; ok { + pluginVersion = value.(string) + } + return plugin.NewVerifier(pluginVersion, verifierConfig, pluginBinDir) } // TODO pointer to avoid copy diff --git a/pkg/verifier/factory/factory_test.go b/pkg/verifier/factory/factory_test.go index d1d6be868..273e76b00 100644 --- a/pkg/verifier/factory/factory_test.go +++ b/pkg/verifier/factory/factory_test.go @@ -111,8 +111,9 @@ func TestCreateVerifiersFromConfig_PluginVerifiers_ReturnsExpected(t *testing.T) defer os.RemoveAll(dirPath) verifierConfig := map[string]interface{}{ - "name": "plugin-verifier-0", - "type": "sample", + "name": "plugin-verifier-0", + "type": "sample", + "version": "1.0.0", } verifiersConfig := config.VerifiersConfig{ Verifiers: []config.VerifierConfig{verifierConfig}, diff --git a/test/bats/cli-test.bats b/test/bats/cli-test.bats index 1960eac56..ae8f78d2d 100644 --- a/test/bats/cli-test.bats +++ b/test/bats/cli-test.bats @@ -75,6 +75,10 @@ load helpers } @test "sbom verifier test" { + # run with mismatch plugin version config should fail + run bin/ratify verify -c $RATIFY_DIR/sbom_version_mismatch.json -s $TEST_REGISTRY/sbom:v0 + assert_cmd_verify_failure + # run with deny license config should fail run bin/ratify verify -c $RATIFY_DIR/sbom_denylist_config_licensematch.json -s $TEST_REGISTRY/sbom:v0 assert_cmd_verify_failure diff --git a/test/bats/tests/config/sbom_version_mismatch.json b/test/bats/tests/config/sbom_version_mismatch.json new file mode 100644 index 000000000..7713dd756 --- /dev/null +++ b/test/bats/tests/config/sbom_version_mismatch.json @@ -0,0 +1,31 @@ +{ + "store": { + "version": "1.0.0", + "plugins": [ + { + "name": "oras", + "useHttp": true + } + ] + }, + "policy": { + "version": "1.0.0", + "plugin": { + "name": "configPolicy", + "artifactVerificationPolicies": { + "application/spdx+json": "all" + } + } + }, + "verifier": { + "version": "1.0.0", + "plugins": [ + { + "version": "3.0.0", + "name": "sbom", + "artifactTypes": "application/spdx+json", + "disallowedLicenses": ["NOASSERTION"] + } + ] + } +} \ No newline at end of file