fix(EC-1912): validate in-toto statement type in bundle attestation path#3418
fix(EC-1912): validate in-toto statement type in bundle attestation path#3418BohdanMar wants to merge 1 commit into
Conversation
ProvenanceFromBundlePayload accepted any _type value in in-toto statements, unlike the SLSA-specific parsers which reject unknown types. Add validation to accept only StatementInTotoV1 and StatementInTotoV01, consistent with the non-bundle code path. Ref: EC-1838
📝 WalkthroughWalkthrough
ChangesAttestation validation
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
🤖 Finished Review · ✅ Success · Started 11:12 AM UTC · Completed 11:16 AM UTC |
Review of PR #3418fix(EC-1912): validate in-toto statement type in bundle attestation path SummaryThis PR closes a validation gap in AnalysisCorrectness — The validation check exactly mirrors the pattern in
Test coverage is adequate: two new table-driven test cases cover an unsupported type string and an empty/missing Security — This is a security improvement. It adds defense-in-depth validation to close the inconsistency between bundle and non-bundle attestation paths. The Intent & coherence — The change is well-scoped. The PR description correctly explains why only Style/conventions — Code follows existing patterns exactly: same condition structure, same error message format ( Documentation — No documentation updates needed for this internal defense-in-depth change. Cross-repo contracts — The VerdictApprove — Clean, well-tested, defense-in-depth fix that closes a validation gap between the bundle and non-bundle attestation code paths. No blocking findings. Labels: Defense-in-depth bug fix for attestation type validation in bundle path |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 27 files with indirect coverage changes 🚀 New features to boost your workflow:
|
ProvenanceFromBundlePayloadaccepted any_typevalue in in-toto statements, unlike the SLSA-specific parsers which reject unknown types. This adds the same validation to the bundle path — acceptv0.1andv1, reject anything else.Defense-in-depth only — the
attestation_typepolicy rule already catches this at evaluation time.Jira: EC-1912 | Ref: EC-1838