1+ #! /bin/bash
2+
3+ # Attestation Viewer Script for CodeQL Artifact Attestation PoC
4+ # This script helps you view and analyze the attestation data we created
5+
6+ set -e
7+
8+ REPO=" eltyagi/poc-codeql-artifact-attestation"
9+ ARTIFACT_PATTERN=" vulnerable-app-*.tar.gz"
10+
11+ echo " 🔍 Attestation Data Viewer"
12+ echo " =========================="
13+ echo
14+
15+ # Function to display help
16+ show_help () {
17+ echo " Usage: $0 [options]"
18+ echo " Options:"
19+ echo " -h, --help Show this help message"
20+ echo " -l, --list List available artifacts"
21+ echo " -v, --verify FILE Verify attestations for specific file"
22+ echo " -d, --details FILE Show detailed attestation data"
23+ echo " -a, --all FILE Show all attestation types for file"
24+ echo " -s, --summary Show summary of all attestations"
25+ echo
26+ echo " Examples:"
27+ echo " $0 --list"
28+ echo " $0 --verify vulnerable-app-abc123.tar.gz"
29+ echo " $0 --details vulnerable-app-abc123.tar.gz"
30+ echo " $0 --all vulnerable-app-abc123.tar.gz"
31+ }
32+
33+ # Function to list available artifacts
34+ list_artifacts () {
35+ echo " 📁 Available artifacts:"
36+ if ls $ARTIFACT_PATTERN > /dev/null 2>&1 ; then
37+ for file in $ARTIFACT_PATTERN ; do
38+ if [ -f " $file " ; then
39+ echo " - $file "
40+ echo " Size: $( ls -lh " $file " | awk ' {print $5}' ) "
41+ echo " SHA256: $( shasum -a 256 " $file " | cut -d' ' ) "
42+ echo
43+ fi
44+ done
45+ else
46+ echo " No local artifacts found matching pattern: $ARTIFACT_PATTERN "
47+ echo " Note: Artifacts may be available remotely on GitHub"
48+ fi
49+ }
50+
51+ # Function to verify attestations
52+ verify_attestations () {
53+ local file=" $1 "
54+ echo " 🔐 Verifying attestations for: $file "
55+ echo
56+
57+ if [ ! -f " $file " ; then
58+ echo " ❌ File not found locally: $file "
59+ echo " Try downloading it first or use the GitHub API"
60+ return 1
61+ fi
62+
63+ echo " 📊 SLSA Build Provenance:"
64+ if gh attestation verify " $file " " $REPO " 2> /dev/null; then
65+ echo " ✅ SLSA build provenance: VERIFIED"
66+ else
67+ echo " ⚠️ SLSA build provenance: Could not verify or not found"
68+ fi
69+ echo
70+
71+ echo " 🔍 Security Assessment:"
72+ if gh attestation verify " $file " " $REPO " " https://github.com/in-toto/attestation/tree/main/spec/predicates/security-scan" 2> /dev/null; then
73+ echo " ✅ Security assessment: VERIFIED"
74+ else
75+ echo " ⚠️ Security assessment: Could not verify or not found"
76+ fi
77+ echo
78+
79+ echo " ⚠️ Vulnerability Disclosure:"
80+ if gh attestation verify " $file " " $REPO " " https://slsa.dev/spec/v1.1/provenance" 2> /dev/null; then
81+ echo " ✅ Vulnerability disclosure: VERIFIED"
82+ else
83+ echo " ⚠️ Vulnerability disclosure: Could not verify or not found"
84+ fi
85+ }
86+
87+ # Function to show detailed attestation data
88+ show_details () {
89+ local file=" $1 "
90+ echo " 📋 Detailed attestation data for: $file "
91+ echo
92+
93+ if [ ! -f " $file " ; then
94+ echo " ❌ File not found locally: $file "
95+ return 1
96+ fi
97+
98+ echo " 🔍 Getting attestation data..."
99+
100+ # Get all attestations with JSON output
101+ local temp_file=$( mktemp)
102+ if gh attestation verify " $file " " $REPO " > " $temp_file " 2> /dev/null; then
103+ echo " 📄 Raw attestation data saved to: $temp_file "
104+ echo
105+
106+ # Extract and display key information
107+ echo " 🏷️ Attestation Summary:"
108+ jq -r ' .[] | "- Type: " + .verificationResult.statement.predicateType' " $temp_file " 2> /dev/null || echo " Could not parse attestation types"
109+
110+ echo
111+ echo " 🔧 Build Information:"
112+ jq -r ' .[] | .verificationResult.statement.predicate.buildDefinition.externalParameters.workflow.repository // "N/A"' " $temp_file " 2> /dev/null | head -1 | sed ' s/^/ Repository: /'
113+ jq -r ' .[] | .verificationResult.statement.predicate.buildDefinition.externalParameters.workflow.ref // "N/A"' " $temp_file " 2> /dev/null | head -1 | sed ' s/^/ Ref: /'
114+
115+ echo
116+ echo " 📁 Subject Information:"
117+ jq -r ' .[] | .verificationResult.statement.subject[0].name // "N/A"' " $temp_file " 2> /dev/null | head -1 | sed ' s/^/ Name: /'
118+ jq -r ' .[] | .verificationResult.statement.subject[0].digest.sha256 // "N/A"' " $temp_file " 2> /dev/null | head -1 | sed ' s/^/ SHA256: /'
119+
120+ echo
121+ echo " 💾 For full JSON data, examine: $temp_file "
122+ echo " You can use: jq '.' $temp_file | less"
123+
124+ else
125+ echo " ❌ Could not retrieve attestation data"
126+ rm -f " $temp_file "
127+ return 1
128+ fi
129+ }
130+
131+ # Function to show all attestation types
132+ show_all_attestations () {
133+ local file=" $1 "
134+ echo " 🎯 All attestation types for: $file "
135+ echo
136+
137+ if [ ! -f " $file " ; then
138+ echo " ❌ File not found locally: $file "
139+ return 1
140+ fi
141+
142+ # Try different predicate types
143+ local predicate_types=(
144+ " https://slsa.dev/provenance/v1"
145+ " https://github.com/in-toto/attestation/tree/main/spec/predicates/security-scan"
146+ " https://slsa.dev/spec/v1.1/provenance"
147+ )
148+
149+ local type_names=(
150+ " SLSA Build Provenance"
151+ " Security Assessment"
152+ " Vulnerability Disclosure"
153+ )
154+
155+ for i in " ${! predicate_types[@]} " ; do
156+ local predicate_type=" ${predicate_types[$i]} "
157+ local type_name=" ${type_names[$i]} "
158+
159+ echo " 🔍 Checking: $type_name "
160+ echo " Predicate Type: $predicate_type "
161+
162+ if gh attestation verify " $file " " $REPO " " $predicate_type " > /dev/null 2>&1 ; then
163+ echo " Status: ✅ VERIFIED"
164+
165+ # Extract custom predicate data if available
166+ local temp_file=$( mktemp)
167+ gh attestation verify " $file " " $REPO " " $predicate_type " > " $temp_file " 2> /dev/null
168+
169+ case " $type_name " in
170+ " Security Assessment"
171+ echo " 📊 Security Data:"
172+ # Look for our custom security data
173+ jq -r ' .[] | .verificationResult.statement.predicate.results.total_alerts // "N/A"' " $temp_file " 2> /dev/null | sed ' s/^/ Total Alerts: /'
174+ ;;
175+ " Vulnerability Disclosure"
176+ echo " ⚠️ Vulnerability Info:"
177+ # Look for our custom vulnerability data
178+ jq -r ' .[] | .verificationResult.statement.predicate.notice // "N/A"' " $temp_file " 2> /dev/null | sed ' s/^/ Notice: /'
179+ ;;
180+ esac
181+
182+ rm -f " $temp_file "
183+ else
184+ echo " Status: ❌ NOT FOUND"
185+ fi
186+ echo
187+ done
188+ }
189+
190+ # Function to show summary
191+ show_summary () {
192+ echo " 📊 Attestation Summary"
193+ echo " ====================="
194+ echo
195+
196+ echo " 🏗️ Repository: $REPO "
197+ echo " 🔍 Pattern: $ARTIFACT_PATTERN "
198+ echo
199+
200+ echo " 📁 Local Artifacts:"
201+ list_artifacts
202+
203+ echo " 🌐 Remote Attestations:"
204+ echo " Use GitHub's web interface:"
205+ echo " https://github.com/$REPO /security/advisories"
206+ echo " https://github.com/$REPO /security"
207+ echo
208+
209+ echo " 🔧 Commands to explore:"
210+ echo " gh attestation verify <file> --repo $REPO "
211+ echo " gh attestation verify <file> --repo $REPO --format json"
212+ echo " gh api repos/$REPO /attestations"
213+ }
214+
215+ # Main script logic
216+ case " ${1:- } " in
217+ -h|--help)
218+ show_help
219+ ;;
220+ -l|--list)
221+ list_artifacts
222+ ;;
223+ -v|--verify)
224+ if [ -z " ${2:- } " ; then
225+ echo " ❌ Error: Please specify a file to verify"
226+ echo " Usage: $0 --verify <filename>"
227+ exit 1
228+ fi
229+ verify_attestations " $2 "
230+ ;;
231+ -d|--details)
232+ if [ -z " ${2:- } " ; then
233+ echo " ❌ Error: Please specify a file for details"
234+ echo " Usage: $0 --details <filename>"
235+ exit 1
236+ fi
237+ show_details " $2 "
238+ ;;
239+ -a|--all)
240+ if [ -z " ${2:- } " ; then
241+ echo " ❌ Error: Please specify a file for all attestations"
242+ echo " Usage: $0 --all <filename>"
243+ exit 1
244+ fi
245+ show_all_attestations " $2 "
246+ ;;
247+ -s|--summary|" "
248+ show_summary
249+ ;;
250+ * )
251+ echo " ❌ Error: Unknown option: $1 "
252+ echo
253+ show_help
254+ exit 1
255+ ;;
256+ esac
0 commit comments