Skip to content

enhancement: validate digest format at complypack state ingestion layer #677

Description

@sonupreetam

Summary

Digest values stored in state.json (via complypackDigestsByEvaluator) are
passed through without format validation. While digests originate from OCI
registry responses and are validated upstream during complyctl get, there is
no defense-in-depth check that the stored value is a valid digest
(e.g., sha256:<64 hex chars>).

Motivation

Raised by @trevor-vaughan in #661 — internal consistency should be guaranteed
at all interfaces. If a malformed digest reaches state.json (manual edit,
corruption, future bug), it would propagate silently through the generation
state and freshness detection pipeline.

Suggested Approach

Add digest format validation in complypackDigestsByEvaluator() (or at the
state.json ingestion layer in cache.LoadState). Malformed digests should
be logged as warnings and excluded from the returned map.

A valid OCI digest matches: <algorithm>:<hex> where algorithm is typically
sha256, sha384, or sha512 and hex is the correct length for the algorithm.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    Priority

    Medium

    Effort

    None yet

    Projects

    Status
    Ready 🚀

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions