Summary
Digest values stored in state.json (via complypackDigestsByEvaluator) are
passed through without format validation. While digests originate from OCI
registry responses and are validated upstream during complyctl get, there is
no defense-in-depth check that the stored value is a valid digest
(e.g., sha256:<64 hex chars>).
Motivation
Raised by @trevor-vaughan in #661 — internal consistency should be guaranteed
at all interfaces. If a malformed digest reaches state.json (manual edit,
corruption, future bug), it would propagate silently through the generation
state and freshness detection pipeline.
Suggested Approach
Add digest format validation in complypackDigestsByEvaluator() (or at the
state.json ingestion layer in cache.LoadState). Malformed digests should
be logged as warnings and excluded from the returned map.
A valid OCI digest matches: <algorithm>:<hex> where algorithm is typically
sha256, sha384, or sha512 and hex is the correct length for the algorithm.
References
Summary
Digest values stored in
state.json(viacomplypackDigestsByEvaluator) arepassed through without format validation. While digests originate from OCI
registry responses and are validated upstream during
complyctl get, there isno defense-in-depth check that the stored value is a valid digest
(e.g.,
sha256:<64 hex chars>).Motivation
Raised by @trevor-vaughan in #661 — internal consistency should be guaranteed
at all interfaces. If a malformed digest reaches
state.json(manual edit,corruption, future bug), it would propagate silently through the generation
state and freshness detection pipeline.
Suggested Approach
Add digest format validation in
complypackDigestsByEvaluator()(or at thestate.jsoningestion layer incache.LoadState). Malformed digests shouldbe logged as warnings and excluded from the returned map.
A valid OCI digest matches:
<algorithm>:<hex>where algorithm is typicallysha256,sha384, orsha512and hex is the correct length for the algorithm.References