ratify-project · binbin-li · Aug 21, 2024 · Jul 25, 2024 · Jul 29, 2024 · Jul 31, 2024
@@ -176,13 +176,17 @@ func (executor Executor) verifyReferenceForJSONPolicy(ctx context.Context, subje
 			verifierStartTime := time.Now()
 			verifyResult, err := verifier.Verify(ctx, subjectRef, referenceDesc, referrerStore)
 			if err != nil {
+				verifierErr := errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace)
 				verifyResult = vr.VerifierResult{
 					IsSuccess:    false,
-					Name:         verifier.Name(),
-					Type:         verifier.Type(),
+					Name:         verifier.Name(), // Deprecating Name in v2, switch to VerifierName instead.
+					Type:         verifier.Type(), // Deprecating Type in v2, switch to VerifierType instead.
 					VerifierName: verifier.Name(),
 					VerifierType: verifier.Type(),
-					Message:      errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace).Error()}
+					Message:      verifierErr.GetDetail(),
+					ErrorReason:  verifierErr.GetErrorReason(),
+					Remediation:  verifierErr.GetRemediation(),
+				}
 			}
 
 			if len(verifier.GetNestedReferences()) > 0 {
@@ -229,13 +233,17 @@ func (executor Executor) verifyReferenceForRegoPolicy(ctx context.Context, subje
 			verifierStartTime := time.Now()
 			verifierResult, err := verifier.Verify(errCtx, subjectRef, referenceDesc, referrerStore)
 			if err != nil {
+				verifierErr := errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace)
 				verifierReport = vt.VerifierResult{
 					IsSuccess:    false,
-					Name:         verifier.Name(), // Deprecating Name in next release, reference to VerifierName instead.
-					Type:         verifier.Type(), // Deprecating Type in next release, reference to VerifierType instead.
+					Name:         verifier.Name(), // Deprecating Name in v2, switch to VerifierName instead.
+					Type:         verifier.Type(), // Deprecating Type in v2, switch to VerifierType instead.
 					VerifierName: verifier.Name(),
 					VerifierType: verifier.Type(),
-					Message:      errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace).Error()}
+					Message:      verifierErr.GetDetail(),
+					ErrorReason:  verifierErr.GetErrorReason(),
+					Remediation:  verifierErr.GetRemediation(),
+				}
 			} else {
 				verifierReport = vt.NewVerifierResult(verifierResult)
 			}

@@ -29,6 +29,7 @@ type VerifyResult struct {
 
 // NestedVerifierReport describes the results of verifying an artifact and its
 // nested artifacts by available verifiers.
+// Note: NestedVerifierReport is used for verification results in v1.
 type NestedVerifierReport struct {
 	Subject         string                 `json:"subject"`
 	ReferenceDigest string                 `json:"referenceDigest"`

@@ -97,10 +97,13 @@ func (enforcer PolicyEnforcer) ContinueVerifyOnFailure(_ context.Context, _ comm
 
 // ErrorToVerifyResult converts an error to a properly formatted verify result
 func (enforcer PolicyEnforcer) ErrorToVerifyResult(_ context.Context, subjectRefString string, verifyError error) types.VerifyResult {
+	verifierErr := re.ErrorCodeVerifyReferenceFailure.WithDetail(fmt.Sprintf("failed to verify artifact: %s", subjectRefString)).WithError(verifyError)
 	errorReport := verifier.VerifierResult{
-		Subject:   subjectRefString,
-		IsSuccess: false,
-		Message:   fmt.Sprintf("verification failed: %v", verifyError),
+		Subject:     subjectRefString,
+		IsSuccess:   false,
+		Message:     verifierErr.GetDetail(),
+		ErrorReason: verifierErr.GetErrorReason(),
+		Remediation: verifierErr.GetRemediation(),
 	}
 	var reports []interface{}
 	reports = append(reports, errorReport)

@@ -23,21 +23,24 @@ import (
 	"github.com/ratify-project/ratify/pkg/referrerstore"
 )
 
-// VerifierResult describes the result of verifying a reference manifest for a subject
+// VerifierResult describes the result of verifying a reference manifest for a subject.
+// Note: This struct is used to represent the result of verification in v0.
 type VerifierResult struct { //nolint:revive // ignore linter to have unique type name
-	Subject         string           `json:"subject,omitempty"`
-	IsSuccess       bool             `json:"isSuccess"`
-	Name            string           `json:"name,omitempty"`
-	VerifierName    string           `json:"verifierName,omitempty"`
+	Subject   string `json:"subject,omitempty"`
+	IsSuccess bool   `json:"isSuccess"`
+	// Name will be deprecated in v2, switch to VerifierName instead.
+	Name         string `json:"name,omitempty"`
+	VerifierName string `json:"verifierName,omitempty"`
+	// Type will be deprecated in v2, switch to VerifierType instead.
 	Type            string           `json:"type,omitempty"`
 	VerifierType    string           `json:"verifierType,omitempty"`
+	ReferenceDigest string           `json:"referenceDigest,omitempty"`
+	ArtifactType    string           `json:"artifactType,omitempty"`
 	Message         string           `json:"message,omitempty"`
 	ErrorReason     string           `json:"errorReason,omitempty"`
+	Remediation     string           `json:"remediation,omitempty"`
 	Extensions      interface{}      `json:"extensions,omitempty"`
 	NestedResults   []VerifierResult `json:"nestedResults,omitempty"`
-	ArtifactType    string           `json:"artifactType,omitempty"`
-	ReferenceDigest string           `json:"referenceDigest,omitempty"`
-	Remediation     string           `json:"remediation,omitempty"`
 }
 
 // ReferenceVerifier is an interface that defines methods to verify a reference

@@ -285,8 +285,8 @@ func (v *cosignVerifier) verifyInternal(ctx context.Context, subjectReference co
 
 	if hasValidSignature {
 		return verifier.VerifierResult{
-			Name:         v.name,
-			Type:         v.verifierType,
+			Name:         v.name,         // Deprecating Name in v2, switch to VerifierName instead.
+			Type:         v.verifierType, // Deprecating Type in v2, switch to VerifierType instead.
 			VerifierName: v.name,
 			VerifierType: v.verifierType,
 			IsSuccess:    true,
@@ -398,8 +398,8 @@ func (v *cosignVerifier) verifyLegacy(ctx context.Context, subjectReference comm
 
 	if len(signatures) > 0 {
 		return verifier.VerifierResult{
-			Name:         v.name,
-			Type:         v.verifierType,
+			Name:         v.name,         // Deprecating Name in v2, switch to VerifierName instead.
+			Type:         v.verifierType, // Deprecating Type in v2, switch to VerifierType instead.
 			VerifierName: v.name,
 			VerifierType: v.verifierType,
 			IsSuccess:    true,
@@ -485,14 +485,16 @@ func staticLayerOpts(desc imgspec.Descriptor) ([]static.Option, error) {
 
 // ErrorToVerifyResult returns a verifier result with the error message and isSuccess set to false
 func errorToVerifyResult(name string, verifierType string, err error) verifier.VerifierResult {
+	verifierErr := re.ErrorCodeVerifyReferenceFailure.WithDetail("Verification failed").WithError(err)
 	return verifier.VerifierResult{
 		IsSuccess:    false,
-		Name:         name,
-		Type:         verifierType,
+		Name:         name,         // Deprecating Name in v2, switch to VerifierName instead.
+		Type:         verifierType, // Deprecating Type in v2, switch to VerifierType instead.
 		VerifierName: name,
 		VerifierType: verifierType,
-		Message:      "Verification failed",
-		ErrorReason:  err.Error(),
+		Message:      verifierErr.GetDetail(),
+		ErrorReason:  verifierErr.GetErrorReason(),
+		Remediation:  verifierErr.GetRemediation(),
 	}
 }
 

@@ -410,6 +410,9 @@ func TestErrorToVerifyResult(t *testing.T) {
 	if verifierResult.Message != "Verification failed" {
 		t.Errorf("errorToVerifyResult() = %v, want %v", verifierResult.Message, "Verification failed")
 	}
+	if verifierResult.ErrorReason != "test error" {
+		t.Errorf("errorToVerifyResult() = %v, want %v", verifierResult.ErrorReason, "test error")
+	}
 }
 
 // TestDecodeASN1Signature tests the decodeASN1Signature function

@@ -175,8 +175,8 @@ func (v *notationPluginVerifier) Verify(ctx context.Context,
 	}
 
 	return verifier.VerifierResult{
-		Name:         v.name,
-		Type:         v.verifierType,
+		Name:         v.name,         // Deprecating Name in v2, switch to VerifierName instead.
+		Type:         v.verifierType, // Deprecating Type in v2, switch to VerifierType instead.
 		VerifierName: v.name,
 		VerifierType: v.verifierType,
 		IsSuccess:    true,

@@ -50,6 +50,7 @@ type VerifierResult struct {
 	IsSuccess    bool        `json:"isSuccess"`
 	Message      string      `json:"message"`
 	ErrorReason  string      `json:"errorReason,omitempty"`
+	Remediation  string      `json:"remediation,omitempty"`
 	Name         string      `json:"name"`
 	VerifierName string      `json:"verifierName,omitempty"`
 	Type         string      `json:"type,omitempty"`
@@ -90,5 +91,7 @@ func NewVerifierResult(result verifier.VerifierResult) VerifierResult {
 		VerifierName: result.VerifierName,
 		VerifierType: result.VerifierType,
 		Extensions:   result.Extensions,
+		ErrorReason:  result.ErrorReason,
+		Remediation:  result.Remediation,
 	}
 }
@@ -28,6 +28,7 @@
 	"github.com/ratify-project/ratify/plugins/verifier/sbom/utils"
 
 	// This import is required to utilize the oras built-in referrer store
+	re "github.com/ratify-project/ratify/errors"
 	_ "github.com/ratify-project/ratify/pkg/referrerstore/oras"
 	"github.com/ratify-project/ratify/pkg/verifier"
 	"github.com/ratify-project/ratify/pkg/verifier/plugin/skel"
@@ -82,19 +83,28 @@
 	ctx := context.Background()
 	referenceManifest, err := referrerStore.GetReferenceManifest(ctx, subjectReference, referenceDescriptor)
 	if err != nil {
+		storeErr := re.ErrorCodeGetReferenceManifestFailure.WithDetail(fmt.Sprintf("Failed to fetch reference manifest for subject: %s reference descriptor: %v", subjectReference, referenceDescriptor.Descriptor)).WithError(err)
 		return &verifier.VerifierResult{
-			Name:      input.Name,
-			Type:      verifierType,
-			IsSuccess: false,
-			Message:   fmt.Sprintf("Error fetching reference manifest for subject: %s reference descriptor: %v, err: %v", subjectReference, referenceDescriptor.Descriptor, err),
+			Name:         input.Name,
+			Type:         verifierType,
+			VerifierName: input.Name,
+			VerifierType: verifierType,
+			IsSuccess:    false,
+			Message:      storeErr.GetDetail(),
+			ErrorReason:  storeErr.GetErrorReason(),
+			Remediation:  storeErr.GetRemediation(),
 		}, nil
 	}
 
 	if len(referenceManifest.Blobs) == 0 {
 		return &verifier.VerifierResult{
-			Name:      input.Name,
-			IsSuccess: false,
-			Message:   fmt.Sprintf("SBOM validation failed: no layers found in manifest for referrer %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()),
+			Name:         input.Name,
+			Type:         verifierType,
+			VerifierName: input.Name,
+			VerifierType: verifierType,
+			IsSuccess:    false,
+			Message:      "SBOM validation failed",
+			ErrorReason:  fmt.Sprintf("No layers found in manifest for referrer %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()),
 		}, nil
 	}
 
@@ -103,11 +113,16 @@
 		refBlob, err := referrerStore.GetBlobContent(ctx, subjectReference, blobDesc.Digest)
 
 		if err != nil {
+			storeErr := re.ErrorCodeGetBlobContentFailure.WithDetail(fmt.Sprintf("Failed to fetch blob for subject: %s digest: %s", subjectReference, blobDesc.Digest)).WithError(err)
 			return &verifier.VerifierResult{
-				Name:      input.Name,
-				Type:      verifierType,
-				IsSuccess: false,
-				Message:   fmt.Sprintf("Error fetching blob for subject: %s digest: %s, err: %v", subjectReference, blobDesc.Digest, err),
+				Name:         input.Name,
+				Type:         verifierType,
+				VerifierName: input.Name,
+				VerifierType: verifierType,
+				IsSuccess:    false,
+				Message:      storeErr.GetDetail(),
+				ErrorReason:  storeErr.GetErrorReason(),
+				Remediation:  storeErr.GetRemediation(),
 			}, nil
 		}
 
@@ -116,19 +131,24 @@
 			return processSpdxJSONMediaType(input.Name, verifierType, refBlob, input.DisallowedLicenses, input.DisallowedPackages), nil
 		default:
 			return &verifier.VerifierResult{
-				Name:      input.Name,
-				Type:      verifierType,
-				IsSuccess: false,
-				Message:   fmt.Sprintf("Unsupported artifactType: %s", artifactType),
+				Name:         input.Name,
+				Type:         verifierType,
+				VerifierName: input.Name,
+				VerifierType: verifierType,
+				IsSuccess:    false,
+				Message:      "Failed to process SBOM blobs.",
+				ErrorReason:  fmt.Sprintf("Unsupported artifactType: %s", artifactType),
 			}, nil
 		}
 	}
 
 	return &verifier.VerifierResult{
-		Name:      input.Name,
-		Type:      verifierType,
-		IsSuccess: true,
-		Message:   "SBOM verification success. No license or package violation found.",
+		Name:         input.Name,
+		Type:         verifierType,
+		VerifierName: input.Name,
+		VerifierType: verifierType,
+		IsSuccess:    true,
+		Message:      "SBOM verification success. No license or package violation found.",
 	}, nil
 }
 
@@ -178,10 +198,12 @@
 
 			if len(licenseViolation) != 0 || len(packageViolation) != 0 {
 				return &verifier.VerifierResult{
-					Name:       name,
-					IsSuccess:  false,
-					Extensions: extensionData,
-					Message:    "SBOM validation failed. Please review extensions data for license and package violation found.",
+					Name:        name,
+					IsSuccess:   false,
+					Extensions:  extensionData,
+					Message:     "SBOM validation failed.",
+					ErrorReason: "License or package violation found.",
+					Remediation: "Please review extensions data for license and package violation found.",
 				}
 			}
 		}
@@ -196,11 +218,15 @@
 			Message: "SBOM verification success. No license or package violation found.",
 		}
 	}
+	verifierErr := re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("failed to verify artifact: %s", name)).WithError(err)
 	return &verifier.VerifierResult{
-		Name:      name,
-		Type:      verifierType,
-		IsSuccess: false,
-		Message:   fmt.Sprintf("SBOM failed to parse: %v", err),
+		Name:         name,
+		Type:         verifierType,
+		VerifierName: name,
+		VerifierType: verifierType,
+		IsSuccess:    false,
+		Message:      verifierErr.GetDetail(),
+		ErrorReason:  verifierErr.GetErrorReason(),
 	}
 }