feat: fill ErrorReason and Remediation during verifierReport generation

ratify-project · Aug 4, 2024 · b743d51 · b743d51
1 parent 65eb936
commit b743d51
Show file tree

Hide file tree

Showing 10 changed files with 645 additions and 164 deletions.
diff --git a/pkg/executor/core/executor.go b/pkg/executor/core/executor.go
@@ -176,13 +176,17 @@ func (executor Executor) verifyReferenceForJSONPolicy(ctx context.Context, subje
 			verifierStartTime := time.Now()
 			verifyResult, err := verifier.Verify(ctx, subjectRef, referenceDesc, referrerStore)
 			if err != nil {
+				verifierErr := errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace)
 				verifyResult = vr.VerifierResult{
 					IsSuccess:    false,
 					Name:         verifier.Name(), // Deprecating Name in v2, switch to VerifierName instead.
 					Type:         verifier.Type(), // Deprecating Type in v2, switch to VerifierType instead.
 					VerifierName: verifier.Name(),
 					VerifierType: verifier.Type(),
-					Message:      errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace).Error()}
+					Message:      verifierErr.GetFullDetails(),
+					ErrorReason:  verifierErr.GetRootCause(),
+					Remediation:  verifierErr.GetRootRemediation(),
+				}
 			}
 
 			if len(verifier.GetNestedReferences()) > 0 {
@@ -228,13 +232,17 @@ func (executor Executor) verifyReferenceForRegoPolicy(ctx context.Context, subje
 			verifierStartTime := time.Now()
 			verifierResult, err := verifier.Verify(errCtx, subjectRef, referenceDesc, referrerStore)
 			if err != nil {
+				verifierErr := errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace)
 				verifierReport = vt.VerifierResult{
 					IsSuccess:    false,
 					Name:         verifier.Name(), // Deprecating Name in v2, switch to VerifierName instead.
 					Type:         verifier.Type(), // Deprecating Type in v2, switch to VerifierType instead.
 					VerifierName: verifier.Name(),
 					VerifierType: verifier.Type(),
-					Message:      errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace).Error()}
+					Message:      verifierErr.GetFullDetails(),
+					ErrorReason:  verifierErr.GetRootCause(),
+					Remediation:  verifierErr.GetRootRemediation(),
+				}
 			} else {
 				verifierReport = vt.NewVerifierResult(verifierResult)
 			}

diff --git a/pkg/executor/types/types.go b/pkg/executor/types/types.go
@@ -29,6 +29,7 @@ type VerifyResult struct {
 
 // NestedVerifierReport describes the results of verifying an artifact and its
 // nested artifacts by available verifiers.
+// Note: NestedVerifierReport is used for verification results in v1.
 type NestedVerifierReport struct {
 	Subject         string                 `json:"subject"`
 	ReferenceDigest string                 `json:"referenceDigest"`

diff --git a/pkg/policyprovider/configpolicy/configpolicy.go b/pkg/policyprovider/configpolicy/configpolicy.go
@@ -97,10 +97,13 @@ func (enforcer PolicyEnforcer) ContinueVerifyOnFailure(_ context.Context, _ comm
 
 // ErrorToVerifyResult converts an error to a properly formatted verify result
 func (enforcer PolicyEnforcer) ErrorToVerifyResult(_ context.Context, subjectRefString string, verifyError error) types.VerifyResult {
+	verifierErr := re.ErrorCodeVerifyReferenceFailure.WithDetail(fmt.Sprintf("failed to verify artifact: %s", subjectRefString)).WithError(verifyError)
 	errorReport := verifier.VerifierResult{
-		Subject:   subjectRefString,
-		IsSuccess: false,
-		Message:   fmt.Sprintf("verification failed: %v", verifyError),
+		Subject:     subjectRefString,
+		IsSuccess:   false,
+		Message:     verifierErr.GetFullDetails(),
+		ErrorReason: verifierErr.GetRootCause(),
+		Remediation: verifierErr.GetRootRemediation(),
 	}
 	var reports []interface{}
 	reports = append(reports, errorReport)

diff --git a/pkg/verifier/cosign/cosign.go b/pkg/verifier/cosign/cosign.go
@@ -485,14 +485,16 @@ func staticLayerOpts(desc imgspec.Descriptor) ([]static.Option, error) {
 
 // ErrorToVerifyResult returns a verifier result with the error message and isSuccess set to false
 func errorToVerifyResult(name string, verifierType string, err error) verifier.VerifierResult {
+	verifierErr := re.ErrorCodeVerifyReferenceFailure.WithDetail("cosign verification failed").WithError(err)
 	return verifier.VerifierResult{
 		IsSuccess:    false,
 		Name:         name,         // Deprecating Name in v2, switch to VerifierName instead.
 		Type:         verifierType, // Deprecating Type in v2, switch to VerifierType instead.
 		VerifierName: name,
 		VerifierType: verifierType,
-		Message:      "cosign verification failed",
-		ErrorReason:  err.Error(),
+		Message:      verifierErr.GetFullDetails(),
+		ErrorReason:  verifierErr.GetRootCause(),
+		Remediation:  verifierErr.GetRootRemediation(),
 	}
 }
 

diff --git a/plugins/verifier/sbom/sbom.go b/plugins/verifier/sbom/sbom.go
@@ -28,6 +28,7 @@ import (
 	"github.com/ratify-project/ratify/plugins/verifier/sbom/utils"
 
 	// This import is required to utilize the oras built-in referrer store
+	re "github.com/ratify-project/ratify/errors"
 	_ "github.com/ratify-project/ratify/pkg/referrerstore/oras"
 	"github.com/ratify-project/ratify/pkg/verifier"
 	"github.com/ratify-project/ratify/pkg/verifier/plugin/skel"
@@ -82,19 +83,28 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
 	ctx := context.Background()
 	referenceManifest, err := referrerStore.GetReferenceManifest(ctx, subjectReference, referenceDescriptor)
 	if err != nil {
+		storeErr := re.ErrorCodeGetReferenceManifestFailure.WithDetail(fmt.Sprintf("Failed to fetch reference manifest for subject: %s reference descriptor: %v", subjectReference, referenceDescriptor.Descriptor)).WithError(err)
 		return &verifier.VerifierResult{
-			Name:      input.Name,
-			Type:      verifierType,
-			IsSuccess: false,
-			Message:   fmt.Sprintf("Error fetching reference manifest for subject: %s reference descriptor: %v, err: %v", subjectReference, referenceDescriptor.Descriptor, err),
+			Name:         input.Name,
+			Type:         verifierType,
+			VerifierName: input.Name,
+			VerifierType: verifierType,
+			IsSuccess:    false,
+			Message:      storeErr.GetFullDetails(),
+			ErrorReason:  storeErr.GetRootCause(),
+			Remediation:  storeErr.GetRootRemediation(),
 		}, nil
 	}
 
 	if len(referenceManifest.Blobs) == 0 {
 		return &verifier.VerifierResult{
-			Name:      input.Name,
-			IsSuccess: false,
-			Message:   fmt.Sprintf("SBOM validation failed: no layers found in manifest for referrer %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()),
+			Name:         input.Name,
+			Type:         verifierType,
+			VerifierName: input.Name,
+			VerifierType: verifierType,
+			IsSuccess:    false,
+			Message:      "SBOM validation failed",
+			ErrorReason:  fmt.Sprintf("No layers found in manifest for referrer %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()),
 		}, nil
 	}
 
@@ -103,11 +113,16 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
 		refBlob, err := referrerStore.GetBlobContent(ctx, subjectReference, blobDesc.Digest)
 
 		if err != nil {
+			storeErr := re.ErrorCodeGetBlobContentFailure.WithDetail(fmt.Sprintf("Failed to fetch blob for subject: %s digest: %s", subjectReference, blobDesc.Digest)).WithError(err)
 			return &verifier.VerifierResult{
-				Name:      input.Name,
-				Type:      verifierType,
-				IsSuccess: false,
-				Message:   fmt.Sprintf("Error fetching blob for subject: %s digest: %s, err: %v", subjectReference, blobDesc.Digest, err),
+				Name:         input.Name,
+				Type:         verifierType,
+				VerifierName: input.Name,
+				VerifierType: verifierType,
+				IsSuccess:    false,
+				Message:      storeErr.GetFullDetails(),
+				ErrorReason:  storeErr.GetRootCause(),
+				Remediation:  storeErr.GetRootRemediation(),
 			}, nil
 		}
 
@@ -116,19 +131,24 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
 			return processSpdxJSONMediaType(input.Name, verifierType, refBlob, input.DisallowedLicenses, input.DisallowedPackages), nil
 		default:
 			return &verifier.VerifierResult{
-				Name:      input.Name,
-				Type:      verifierType,
-				IsSuccess: false,
-				Message:   fmt.Sprintf("Unsupported artifactType: %s", artifactType),
+				Name:         input.Name,
+				Type:         verifierType,
+				VerifierName: input.Name,
+				VerifierType: verifierType,
+				IsSuccess:    false,
+				Message:      "Failed to process SBOM blobs.",
+				ErrorReason:  fmt.Sprintf("Unsupported artifactType: %s", artifactType),
 			}, nil
 		}
 	}
 
 	return &verifier.VerifierResult{
-		Name:      input.Name,
-		Type:      verifierType,
-		IsSuccess: true,
-		Message:   "SBOM verification success. No license or package violation found.",
+		Name:         input.Name,
+		Type:         verifierType,
+		VerifierName: input.Name,
+		VerifierType: verifierType,
+		IsSuccess:    true,
+		Message:      "SBOM verification success. No license or package violation found.",
 	}, nil
 }
 
@@ -178,10 +198,12 @@ func processSpdxJSONMediaType(name string, verifierType string, refBlob []byte,
 
 			if len(licenseViolation) != 0 || len(packageViolation) != 0 {
 				return &verifier.VerifierResult{
-					Name:       name,
-					IsSuccess:  false,
-					Extensions: extensionData,
-					Message:    "SBOM validation failed. Please review extensions data for license and package violation found.",
+					Name:        name,
+					IsSuccess:   false,
+					Extensions:  extensionData,
+					Message:     "SBOM validation failed.",
+					ErrorReason: "License or package violation found.",
+					Remediation: "Please review extensions data for license and package violation found.",
 				}
 			}
 		}
@@ -196,11 +218,15 @@ func processSpdxJSONMediaType(name string, verifierType string, refBlob []byte,
 			Message: "SBOM verification success. No license or package violation found.",
 		}
 	}
+	verifierErr := re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("failed to verify artifact: %s", name)).WithError(err)
 	return &verifier.VerifierResult{
-		Name:      name,
-		Type:      verifierType,
-		IsSuccess: false,
-		Message:   fmt.Sprintf("SBOM failed to parse: %v", err),
+		Name:         name,
+		Type:         verifierType,
+		VerifierName: name,
+		VerifierType: verifierType,
+		IsSuccess:    false,
+		Message:      verifierErr.GetFullDetails(),
+		ErrorReason:  verifierErr.GetRootCause(),
 	}
 }