Use FROM_RUNTIME instruction to check for max mode provenance instead

policy/policy_handler/legacy/ssc_metadata.go

@@ -71,17 +71,11 @@ func MockGetInTotoAttestationsForLocalEval(sb *types.SBOM, log skill.Logger) Ima
 			PredicateType: &statement.PredicateType,
 		}
 
-		if statement.PredicateType == ProvenancePredicateType {
-			pr, err := decodeProvenance(statement.Predicate)
-			if err != nil {
-				log.Errorf("Failed to decode provenance predicate: %+v", err)
-				continue
-			}
-
-			if step0, found := pr.Metadata.Buildkit.Source.Locations["step0"]; found && len(step0.Locations) > 0 {
-				ranges := step0.Locations[0].Ranges
-				if len(ranges) > 0 {
-					subject.Predicates = []Predicate{{StartLine: &ranges[0].Start.Line}}
+		if statement.PredicateType == ProvenancePredicateType && sb.Source.Provenance != nil && sb.Source.Provenance.SourceMap != nil {
+			for _, i := range sb.Source.Provenance.SourceMap.Instructions {
+				if i.Instruction == "FROM_RUNTIME" {
+					subject.Predicates = []Predicate{{StartLine: &i.StartLine}}
+					break
 				}
 			}
 		}
@@ -174,11 +168,3 @@ type llbDefinition struct {
 		}
 	} `json:"op"`
 }
-
-func decodeProvenance(dt []byte) (s *provenanceDocument, err error) {
-	var stmt provenanceDocument
-	if err = json.Unmarshal(dt, &stmt); err != nil {
-		return nil, err
-	}
-	return &stmt, nil
-}

policy/policy_handler/legacy/ssc_metadata_test.go

@@ -59,6 +59,16 @@ func TestMockGetInTotoAttestationsForLocalEval(t *testing.T) {
 						Image: &types.ImageSource{
 							Digest: *digest,
 						},
+						Provenance: &types.Provenance{
+							SourceMap: &types.SourceMap{
+								Instructions: []types.InstructionSourceMap{ // this instruction indicates max-mode provenance
+									{
+										Instruction: "FROM_RUNTIME",
+										StartLine:   1,
+									},
+								},
+							},
+						},
 					},
 					Attestations: []dsse.Envelope{
 						{