feat(crafter): support multiple tools in chainloop metadata #2481

Piskoo · 2025-10-24T11:00:02Z

This PR adds support for multiple tools extraction to metadata, while maintaining backwards compatibility.

Example

# legacy keys (first found tool)
chainloop.material.tool.name: Hub
chainloop.material.tool.version: 2025.4.2
# new key (all found tools)
chainloop.material.tools: [
  "[email protected]",
  "[email protected]"
]

Signed-off-by: Sylwester Piskozub <[email protected]>

migmartri · 2025-10-24T14:39:28Z

I am not a fan of keys with dynamic namespacing, it makes it very hard to consume, but @jiparis might have a different opinion.

I'd rather to have smth like

chainloop.material.tools: ["[email protected]", "baz@deadbeed"]

Signed-off-by: Sylwester Piskozub <[email protected]>

migmartri · 2025-10-27T12:46:25Z

pkg/attestation/crafter/materials/cyclonedxjson.go

-			m.Annotations[AnnotationToolNameKey] = meta.Tools[0].Name
-			m.Annotations[AnnotationToolVersionKey] = meta.Tools[0].Version
+		// Extract all tools and set annotations
+		var tools []Tool


so even if we have one tool, it will use also the new annotation correct?

Correct, example:

WRN API contacted in insecure mode INF uploading sbom.cyclonedx-1.5.json - sha256:5ca3508f02893b0419b266927f66c7b9dd8b11dbea7faf7cdb9169df8f69d8e3 INF material added to attestation ┌─────────────┬─────────────────────────────────────────────────────────────────────────┐ │ Name │ skynet-sbom │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Type │ SBOM_CYCLONEDX_JSON │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Required │ No │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Value │ sbom.cyclonedx-1.5.json │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Digest │ sha256:5ca3508f02893b0419b266927f66c7b9dd8b11dbea7faf7cdb9169df8f69d8e3 │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Annotations │ ------ │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ │ chainloop.material.tools: ["[email protected]"] │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ │ chainloop.material.tool.name: syft │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ │ chainloop.material.tool.version: 0.101.1 │ └─────────────┴─────────────────────────────────────────────────────────────────────────┘

should we hide the deprecated method from the output?

Updated, hidden from att add and att status

# add ┌─────────────┬─────────────────────────────────────────────────────────────────────────┐ │ Name │ skynet-sbom │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Type │ SBOM_CYCLONEDX_JSON │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Required │ No │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Value │ sbom.cyclonedx-1.5.json │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Digest │ sha256:5ca3508f02893b0419b266927f66c7b9dd8b11dbea7faf7cdb9169df8f69d8e3 │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ Annotations │ ------ │ ├─────────────┼─────────────────────────────────────────────────────────────────────────┤ │ │ chainloop.material.tools: ["[email protected]"] │ └─────────────┴─────────────────────────────────────────────────────────────────────────┘ # status ┌───────────────────────────┬──────────────────────────────────────┐ │ Initialized At │ 27 Oct 25 13:42 UTC │ ├───────────────────────────┼──────────────────────────────────────┤ │ Attestation ID │ a3d4ffcc-68f5-4d2e-b3b0-b96cf65922a4 │ │ Organization │ myorg │ │ Name │ policyatttest │ │ Project │ myproject │ │ Version │ v1.49.0 (prerelease) │ │ Contract │ contractinvpoll (revision 1) │ │ Policy violation strategy │ ADVISORY │ └───────────────────────────┴──────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────┐ │ Materials │ ├─────────────┬────────────────────────────────────────────┤ │ Name │ skynet-sbom │ │ Type │ SBOM_CYCLONEDX_JSON │ │ Set │ Yes │ │ Required │ No │ │ Annotations │ ------ │ │ │ chainloop.material.tools: ["[email protected]"] │ └─────────────┴────────────────────────────────────────────┘

migmartri

LGTM, let's check with @jiparis

migmartri · 2025-10-27T12:46:43Z

pkg/attestation/crafter/materials/spdxjson_test.go

+			wantDigest:   "sha256:fe2636fb6c698a29a315278b762b2000efd5959afe776ee4f79f1ed523365a33",
+			wantFilename: "sbom-spdx.json",
+			annotations: map[string]string{
+				"chainloop.material.tool.name":    "syft",


yes, this one, thanks

Signed-off-by: Sylwester Piskozub <[email protected]>

Piskoo added 3 commits October 24, 2025 12:58

support multiple tools for cdx

3e4e4b6

Signed-off-by: Sylwester Piskozub <[email protected]>

add support for spdx

e0a81b0

Signed-off-by: Sylwester Piskozub <[email protected]>

missing test file

483c2d3

Signed-off-by: Sylwester Piskozub <[email protected]>

Piskoo requested review from javirln, jiparis and migmartri October 24, 2025 14:10

Piskoo marked this pull request as ready for review October 24, 2025 14:11

Piskoo added 2 commits October 27, 2025 13:10

use array for versions

ff320da

Signed-off-by: Sylwester Piskozub <[email protected]>

lint

29aa93e

Signed-off-by: Sylwester Piskozub <[email protected]>

migmartri reviewed Oct 27, 2025

View reviewed changes

migmartri approved these changes Oct 27, 2025

View reviewed changes

hide legacy tool annotations from output

fe354c7

Signed-off-by: Sylwester Piskozub <[email protected]>

migmartri merged commit 67fc292 into chainloop-dev:main Oct 27, 2025
13 checks passed

Piskoo mentioned this pull request Oct 30, 2025

fix(attestation): material annotations output #2502

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(crafter): support multiple tools in chainloop metadata #2481

feat(crafter): support multiple tools in chainloop metadata #2481

Uh oh!

Piskoo commented Oct 24, 2025 •

edited

Loading

Uh oh!

migmartri commented Oct 24, 2025 •

edited

Loading

Uh oh!

migmartri Oct 27, 2025

Uh oh!

Piskoo Oct 27, 2025

Uh oh!

migmartri Oct 27, 2025

Uh oh!

Piskoo Oct 27, 2025

Uh oh!

migmartri left a comment

Uh oh!

migmartri Oct 27, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

feat(crafter): support multiple tools in chainloop metadata #2481

feat(crafter): support multiple tools in chainloop metadata #2481

Uh oh!

Conversation

Piskoo commented Oct 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

migmartri commented Oct 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

migmartri Oct 27, 2025

Choose a reason for hiding this comment

Uh oh!

Piskoo Oct 27, 2025

Choose a reason for hiding this comment

Uh oh!

migmartri Oct 27, 2025

Choose a reason for hiding this comment

Uh oh!

Piskoo Oct 27, 2025

Choose a reason for hiding this comment

Uh oh!

migmartri left a comment

Choose a reason for hiding this comment

Uh oh!

migmartri Oct 27, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Piskoo commented Oct 24, 2025 •

edited

Loading

migmartri commented Oct 24, 2025 •

edited

Loading