Skip to content

fix: store gate property in attestation #2635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiparis merged 3 commits into from
Dec 23, 2025
Merged

fix: store gate property in attestation #2635

jiparis merged 3 commits into from
Dec 23, 2025
+55 −4

Conversation

@jiparis
Copy link
Member

@jiparis jiparis commented Dec 22, 2025
edited
Loading

This PR adds the missing property to the attestation and mark it as blocked if it acted as a gate.

"material-1766446028685891000": [
        {
          "annotations": {
            "category": "security,CVE"
          },
          "description": "Checks that the vulnerability severity or score, found in a vulnerabilities report, are above an input threshold. It supports a CVSS \"score\" input for numeric threshold, or \"severity\" for text-based severity. Compatible with SARIF (Trivy, Grype, Stackhawk and Prisma Cloud), BlackDuck and TwistCLI formats\n",
          "gate": true,
          "materialName": "material-1766446028685891000",
          "name": "vulnerabilities",
          "policyReference": {
            "annotations": {
              "name": "vulnerabilities",
              "organization": ""
            },
            "digest": {
              "sha256": "8a1f8ac09058e40bc0255663d1fe6310835f8b83429e73b9c67f23639301f214"
            },
            "name": "vulnerabilities",
            "uri": "chainloop://localhost:8002/vulnerabilities"
          },
          "skipped": false,
          "type": "SARIF",
          "violations": [
            {
              "message": "Vulnerability CVE-2024-41110\nSeverity: CRITICAL\nPackage: github.com/docker/docker\nFixed Version: 23.0.15, 26.1.5, 27.1.1, 25.0.6\nLink: [CVE-2024-41110](https://avd.aquasec.com/nvd/cve-2024-41110)\nMoby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.",
              "subject": "vulnerabilities"
            }
          ],
          "with": {
            "severity": "MEDIUM"
          }
        }

wf run describe command:

│ Statement                   │                                                                         │
├─────────────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Payload Type                │ application/vnd.in-toto+json                                            │
│ Digest                      │ sha256:e6163bf5cb4125a94bba615bbb4ed5f40ed800bed16ce7791bc46795f9e1c0a0 │
│ Verified                    │ true                                                                    │
│ Policies violation strategy │ ADVISORY                                                                │
│ Run Blocked                 │ true                                                                    │
│ Policies                    │ ------                                                                  │
│                             │ sbom-present (gate): missing SBOM material                              │
└─────────────────────────────┴─────────────────────────────────────────────────────────────────────────┘

Closes #2634

@jiparis
store gate property in attestation
4f85833 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested review from Piskoo and migmartri December 22, 2025 23:40
@jiparis
mark as blocked
9a2368f 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
expose gate property
31df86b 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit daf4c1e into chainloop-dev:main Dec 23, 2025
13 checks passed
@jiparis jiparis deleted the PFM-4102 branch December 23, 2025 09:47
@jiparis jiparis mentioned this pull request Dec 23, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Piskoo Piskoo Piskoo approved these changes

@migmartri migmartri Awaiting requested review from migmartri

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing gate property in attestation evaluations

2 participants

@jiparis @Piskoo