Tanzu Application Catalog Build Type
This is a SLSA Provenance buildType that describes the execution of a Tanzu Application Catalog artifact build workflow.
Description
"buildType": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-TAC-build-type.html"
This buildType describes the execution of a Tanzu Application Catalog build pipeline.
Build Definition
Depending on the kind of the artifact, the externalParameters, internalParameters, and resolvedDependencies may vary. The different schemas according to each artifact are:
Container images
External parameters
| Parameter | Type | Description |
|---|---|---|
| baseImage | string | The base image of the container image |
Internal parameters
| Parameter | Type | Description |
|---|---|---|
| buildCauses | array | The different events that triggered the build |
| containerSources | object<resourceDescriptor> | Resource descriptor referencing the source files to build the container image |
Resolved dependencies
The resolvedDependencies SHOULD contain an entry identifying the digest of the base image used by the container image corresponding to the externalParameters.baseImage.
Helm charts
External parameters
| Parameter | Type | Description |
|---|---|---|
| chartsRepository | object | information about the charts repository used as template |
| chartsRepository.url | string | URL of the charts repository used as template |
Internal parameters
| Parameter | Type | Description |
|---|---|---|
| buildCauses | array | The different events that triggered the build |
Resolved dependencies
The resolvedDependencies SHOULD contain an entry identifying the exact commit of the charts repository corresponding to externalDependencies.chartsRepository.url used as a template to build the helm chart.
Run details
Metadata
The invocationId SHOULD be set to the UUID that unequivocally identifies the internal build run. With this UUID, the Tanzu Application Catalog team will be able to perform a deep analysis of the build process.
Examples
SLSA Provenance for container image
{
"_type": "https://in-toto.io/Statement/v1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"name": "apache",
"digest": {
"sha256": "3791e9051d289e9c656b268d63563f2e11ce7aec231e3fdb3c3cbad9ad35c094"
}
},
{
"name": "apache - linux/amd64",
"digest": {
"sha256": "08da6c45919a3f243f80ca71b72a3c0f4cd50aefb8706fb0f423f6d34487f59f"
}
},
{
"name": "apache - linux/arm64",
"digest": {
"sha256": "8fd02ffd3ac39c79f952a6191b15f3ae9a9feff261ec588509801957f26ea4b0"
}
}
],
"predicate": {
"buildDefinition": {
"buildType": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-TAC-build-type.html#v1",
"externalParameters": {
"baseImage": "bitnami/minideb:bullseye"
},
"internalParameters": {
"buildCauses": [
"apache updated to 2.4.58"
],
"containerSources": {
"digest": {
"sha256": "945839b0efacecb84eb4780acf45839e8a8e1485b9fc7de562e8279590469291"
},
"annotations": {
"filename": "apache-2.4.58-r25-debian-11-container.tar.gz"
}
}
},
"resolvedDependencies": [
{
"uri": "bitnami/minideb@sha256:daa7b912186b10ec7a1f4f5f26b29364bd5d7e068e140474c33e6baa31b5c66c",
"digest": {
"sha256": "daa7b912186b10ec7a1f4f5f26b29364bd5d7e068e140474c33e6baa31b5c66c"
},
"name": "container-base-image",
"annotations": {
"imageName": "minideb",
"imageRepository": "bitnami",
"imageTag": "bullseye"
}
}
]
},
"runDetails": {
"builder": {
"id": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-level3-compliance.html"
},
"metadata": {
"invocationID": "a2c7290c-6a39-4e1f-b64a-f2d0fc44445a",
"startedOn": "2024-03-21T13:45:29.768443Z",
"finishedOn": "2024-03-21T14:01:11.768443Z"
},
"byproducts": [
{
"digest": {
"sha256": "7221c56323e257ea339ea5d62e960f4b506d9418004a1ab9f2b3a2f89a6bcb35"
},
"name": "spdx-report",
"annotations": {
"filename": "spdx.json"
}
},
{
"digest": {
"sha256": "68e1c2ed236e1ebdeb397363bf9aea860cb0152cabaafdbcd62cc14cbcdc77cf"
},
"name": "test-results",
"annotations": {
"filename": "test-results.tar.gz"
}
},
{
"digest": {
"sha256": "19c2b85fbfe597694c32b7525f50cacdc05cb0643e04058cb69dba3d3acf2a73"
},
"name": "vulnerability-scan",
"annotations": {
"filename": "cve-trivy-scanner-output-linux-arm64.json",
"platform": {
"os": "linux",
"architecture": "arm64"
}
}
},
{
"digest": {
"sha256": "79c7b22c8f4660f48904c6e0a56e2f6aab873771835e04bd2bb5e6f41b91c43b"
},
"name": "vulnerability-scan",
"annotations": {
"filename": "cve-trivy-scanner-output-linux-amd64.json",
"platform": {
"os": "linux",
"architecture": "amd64"
}
}
},
{
"digest": {
"sha256": "c4480311da92a5772f47769e08cb9facfac5e1c5c68b37290dada5406aa7b240"
},
"name": "vulnerability-cvrf",
"annotations": {
"filename": "vulnerability-cvrf-report-linux-arm64.xml",
"platform": {
"os": "linux",
"architecture": "arm64"
}
}
},
{
"digest": {
"sha256": "4de551f3270597a20cd745abf57f71d926d7fb2386291e889c2e3e2d1c6ebc08"
},
"name": "vulnerability-cvrf",
"annotations": {
"filename": "vulnerability-cvrf-report-linux-amd64.xml",
"platform": {
"os": "linux",
"architecture": "amd64"
}
}
},
{
"digest": {
"sha256": "7fe758b9faa6d39e4926973b4fe59d8c3166cd24c59b6925873315e39c8101fd"
},
"name": "vulnerability-scan-summary",
"annotations": {
"filename": "cve-trivy-scanner-summary-linux-arm64.json",
"platform": {
"os": "linux",
"architecture": "arm64"
}
}
},
{
"digest": {
"sha256": "7fe758b9faa6d39e4926973b4fe59d8c3166cd24c59b6925873315e39c8101fd"
},
"name": "vulnerability-scan-summary",
"annotations": {
"filename": "cve-trivy-scanner-summary-linux-amd64.json",
"platform": {
"os": "linux",
"architecture": "amd64"
}
}
},
{
"digest": {
"sha256": "c04552901e1e712e84d57b6fb4a6c8f63dd5732671a735f29b0bf37ff1e1fe52"
},
"name": "antivirus-scan",
"annotations": {
"filename": "clamav-antivirus-scan-linux-arm64.log",
"platform": {
"os": "linux",
"architecture": "arm64"
}
}
},
{
"digest": {
"sha256": "f43dd50593b4f6c0166b9254943be7ee65f31c2ed9f90ddb90bb9405398edd17"
},
"name": "antivirus-scan",
"annotations": {
"filename": "clamav-antivirus-scan-linux-amd64.log",
"platform": {
"os": "linux",
"architecture": "amd64"
}
}
},
{
"digest": {
"sha256": "945839b0efacecb84eb4780acf45839e8a8e1485b9fc7de562e8279590469291"
},
"name": "source-container",
"annotations": {
"filename": "apache-2.4.58-r25-debian-11-container.tar.gz"
}
}
]
}
}
}
SLSA Provenance for helm chart
{
"_type": "https://in-toto.io/Statement/v1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"name": "zookeeper",
"digest": {
"sha256": "8ae68b04b29593639c9c49b7f5697ebda6a289c0d48ddc1212f64c2e5a65ab6f"
}
}
],
"predicate": {
"buildDefinition": {
"buildType": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-TAC-build-type.html#v1",
"externalParameters": {
"chartsRepository": {
"url": "https://github.com/bitnami/charts"
}
},
"internalParameters": {
"buildCauses": [
"Fixing CVE-2022-3715 affecting bash 5.1-6ubuntu1, fixed in version 5.1-6ubuntu1.1",
"There was an upstream update in the [email protected] Helm Chart (app version 3.9.2): https://github.com/bitnami/charts/tree/aba387ac701a867d41c09ab5871d075d3ff23851/bitnami/zookeeper"
]
},
"resolvedDependencies": [
{
"uri": "https://github.com/bitnami/charts",
"digest": {
"gitCommit": "46825f40ce83acfb6d8fb43f39304eac76154405"
},
"name": "bitnami/charts"
}
]
},
"runDetails": {
"builder": {
"id": "https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-security-frameworks-SLSA-level3-compliance.html"
},
"metadata": {
"invocationID": "a666ba84-2327-456f-b6e3-386c0d79d280",
"startedOn": "2024-03-21T16:24:08.706083Z",
"finishedOn": "2024-03-21T16:29:53.706083Z"
},
"byproducts": [
{
"digest": {
"sha256": "673bf76df31831889e60946179a97ee04b6b9fdcff64cc3e569d32f64983606b"
},
"name": "spdx-report",
"annotations": {
"filename": "spdx.json"
}
},
{
"digest": {
"sha256": "980cbcc88fae687575c4c996f00bed5b2ac860eb98b9830e32a98f84849a32f1"
},
"name": "test-results",
"annotations": {
"filename": "test-results.tar.gz"
}
}
]
}
}
}
Version history
v1
Initial version
