Update prototype tool to match new schema

Signed-off-by: Johnson Shi <[email protected]>

Author: johnsonshi

README.md

@@ -169,26 +169,26 @@ The provenance schema will attest build provenance facts for each layer of a con
               //     COPY-CommandLayer --> created by a plain COPY command
               //     ADD-CommandLayer --> created by the ADD instruction
               //     RUN-CommandLayer --> created by the RUN instruction
+              "BaseImage": "null if not from a base image, else 'registry.io/base-image@digest'",
               "DockerfileCommands": [
                 {
                   "Cmd": "The Dockerfile instruction command, such as FROM, ADD, COPY, RUN, etc.",
                   "SubCmd": "",
                   "Json": true|false, whether the instruction was written in JSON form,
                   "Original": "The original instruction in source, such as 'FROM docker.io/library/postgres:14-bullseye'",
                   "StartLine": 30,
-                  // original source line number that starts this command
+                  // * Original source line number that starts this command
                   "EndLine": 30,
-                  // the original source line number that ends this command
+                  // * The original source line number that ends this command
                   "Flags": [],
-                  // Any flags such as `--from=...` for multistage `COPY` commands.
+                  // * Any flags such as `--from=...` for multistage `COPY` commands.
                   "Value": [
-                  // The command's value args, e.g. for the FROM command: 'registry/repository:digest'.
+                  // * The command's value args, e.g. for the FROM command: 'registry/repository:digest'.
                     "docker.io/library/postgres:14-bullseye"
                   ]
                 }
               }
             ],
-            "BaseImage": "null if not from a base image, else 'registry.io/base-image@digest'",
             "AttributedEntity": {
             // AttributedEntity is a free-schema JSON-object for
             // maintainers to include attribution
@@ -320,12 +320,12 @@ Layer information where the vulnerable package was introduced:
         {
           "layerId": 1,
           "layerHash": "fef0f9958347a4b3c846fb8ea394fbcc554ec5440c7ec72b09786230d55ccc03",
-          // No indication whether the vulnerable package or layer
+          // * No indication whether the vulnerable package or layer
           //    was introduced by a dependent base image
           //    or from app code introduced by the image maintainer.
           "layerCommand": "ADD file:0a5fd3a659be172e86491f2b94fe4fcc48be603847554a6a8d3bbc87854affec in /"
-          // Mangled layer command history due to image history limitations.
-          // No indication whether the Dockerfile instruction
+          // * Mangled layer command history due to image history limitations.
+          // * No indication whether the Dockerfile instruction
           //    was from a base image's build instructions
           //    or from the maintainer's own
           //    image config directives (e.g. Dockerfile instructions).
@@ -364,7 +364,7 @@ Layer information where the vulnerable package was introduced:
           "layerId": 1,
           "layerHash": "fef0f9958347a4b3c846fb8ea394fbcc554ec5440c7ec72b09786230d55ccc03",
           "layerCommand": "ADD file:0a5fd3a659be172e86491f2b94fe4fcc48be603847554a6a8d3bbc87854affec in /"
-          // ADDITIONAL PROVENANCE GENERATED FROM IMAGE PROVENANCE DOC:
+          // * ADDITIONAL PROVENANCE GENERATED FROM IMAGE PROVENANCE DOC:
           "layerProvenance": {
             "origin": "FROM-base-image-cmd, COPY-cmd, ADD-cmd, RUN-cmd",
             "baseImage": null OR "registry.io/image@digest",

cmd/cli/generate.go

@@ -153,15 +153,15 @@ func (opts *generateCmdOpts) writeManifestLayerHistory(manifestLayerHistory []hi
 		timeNow := time.Now()
 		for _, layerHistory := range manifestLayerHistory {
 			layerSlsaProvenance := slsa.ImageManifestLayerSlsaProvenance{
-				LayerHistory:                layerHistory,
-				BuilderID:                   "URI indicating the builder identity. E.g. pipeline-name",
-				BuildType:                   "URI indicating what type of build was performed. E.g. build-type-dockerfile-build",
-				BuildInvocationID:           "Globally Unique Build Invocation ID. Definition: Identifies this particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The exact meaning and format is defined by builder.id; by default it is treated as opaque and case-sensitive. The value SHOULD be globally unique.",
-				BuildStartedOn:              &timeNow,
-				BuildFinishedOn:             &timeNow,
-				RepoURIContainingDockerfile: "URI to Git repo of Dockerfile. Describes where the config file that kicked off the build came from. URI indicating the identity of the source of the config. E.g. https://www.github.com/example/reponame/blob/master/Dockerfile",
-				RepoGitCommit:               "Git commit SHA that kicked off the build.",
-				RepoPathToDockerfile:        "Path to Dockerfile in the repo. Definition: String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by buildType. For example, if the buildType were “make”, then this would reference the directory in which to run make as well as which target to use.",
+				LayerHistory:                 layerHistory,
+				BuilderID:                    "Build pipeline URI.",
+				BuildType:                    "Type of image build, such as 'dockerfile-build', 'buildkit-build', 'bazel-build', etc.",
+				BuildInvocationID:            "Build pipeline ID number",
+				BuildStartedOn:               &timeNow,
+				BuildFinishedOn:              &timeNow,
+				RepoURIContainingImageSource: "URI to Git repo of image config. For Dockerfile builds, this is a git URI to the Dockerfile (e.g. github.com/org/repo/tree/main/Dockerfile)",
+				RepoGitCommit:                "Git commit SHA that kicked off the build.",
+				RepoPathToImageSource:        "Path to image config in the repo (e.g. path/to/Dockerfile)",
 			}
 			layerSlsaProvenanceStatement, err := layerSlsaProvenance.GetImageManifestLayerSlsaProvenance()
 			if err != nil {