Commit 8c03f343 authored by Mark Lodato's avatar Mark Lodato
Browse files

Convert images to SVG.

parent bc8a54f2
......@@ -238,9 +238,9 @@ of sources, builds, dependencies, and deployments. A resource's supply chain is
a combination of its dependencies' supply chains plus its own sources, builds,
and deployment.
![supply-chain](images/supply-chain.png)
The following diagram shows the relationship between concepts.
Figure 1: Relationship between concepts.
![supply-chain](images/supply-chain.svg)
<table>
<thead>
......@@ -428,8 +428,7 @@ security stance, as described in the [vision](#vision-case-study) below.
## Vision: Case Study
Let's consider how we might secure [curlimages/curl] from the
[motivating example](#motivating-example) using the SLSA framework. See
[pdf](images/vision-diagram.pdf) for a larger version of the diagram with links.
[motivating example](#motivating-example) using the SLSA framework.
### Incrementally reaching SLSA 3
......@@ -438,7 +437,7 @@ image.
#### SLSA 0: Initial state
![slsa0](images/slsa-0.png)
![slsa0](images/slsa-0.svg)
Initially the Docker image is SLSA 0. There is no provenance and no policy. It
is difficult to determine who built the artifact and what sources and
......@@ -449,7 +448,7 @@ The diagram shows that the (mutable) resource `curlimages/curl:7.72.0` points to
#### SLSA 1: Provenance
![slsa1](images/slsa-1.png)
![slsa1](images/slsa-1.svg)
We can reach SLSA 1 by using a build system that generates
[provenance](https://github.com/TomHennen/ITE/blob/ite-6/ITE/6/README.md). The
......@@ -469,7 +468,7 @@ checks, where tampering is less of a concern.
#### SLSA 2: Additional controls
![slsa2](images/slsa-2.png)
![slsa2](images/slsa-2.svg)
To reach SLSA 2, the source repo must guarantee accurate change history while
the build process must guarantee isolation, among other things. The provenance
......@@ -485,7 +484,7 @@ Only highly skilled adversaries are likely able to forge it.
#### SLSA 3: Hermeticity and two-person review
![slsa3](images/slsa-3.png)
![slsa3](images/slsa-3.svg)
SLSA 3 [requires](#proposed-slsa-definitions) two-party source control and
hermetic builds. Hermeticity in particular guarantees that the dependencies are
......@@ -500,7 +499,7 @@ source.
### Full graph
![full-graph](images/slsa-full-graph.png)
![full-graph](images/slsa-full-graph.svg)
We can recursively apply the same steps above to lock down dependencies. Each
non-source dependency gets its own provenance, which in turns lists more
......
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:lucid="lucid" width="1560" height="204"><g transform="translate(-60 -40)" lucid:page-tab-id="0_0"><g class="lucid-layer" lucid:layer-id="~pueSgnMqa6~" display="block"><path d="M80 66c0-3.3 2.7-6 6-6h308c3.3 0 6 2.7 6 6v28c0 3.3-2.7 6-6 6H86c-3.3 0-6-2.7-6-6z" stroke="#5e5e5e" stroke-width="3" fill="#ffeca9"/><use xlink:href="#a" transform="matrix(1,0,0,1,85,65) translate(44.16666666666667 19.65277777777778)"/><use xlink:href="#b" transform="matrix(1,0,0,1,85,65) translate(120.58641975308642 19.65277777777778)"/><path d="M80 126c0-3.3 2.7-6 6-6h308c3.3 0 6 2.7 6 6v92c0 3.3-2.7 6-6 6H86c-3.3 0-6-2.7-6-6z" fill="#c7e8ac"/><path d="M80 126c0-3.3 2.7-6 6-6h308c3.3 0 6 2.7 6 6v92c0 3.3-2.7 6-6 6H86c-3.3 0-6-2.7-6-6zM80 160h320M177 160v64" stroke="#5e5e5e" stroke-width="3" fill="none"/><use xlink:href="#c" transform="matrix(1,0,0,1,90,120) translate(94.53703703703704 24.444444444444443)"/><use xlink:href="#d" transform="matrix(1,0,0,1,85,162.5) translate(22.025 17.1)"/><use xlink:href="#e" transform="matrix(1,0,0,1,182,162.5) translate(0 17.1)"/><use xlink:href="#f" transform="matrix(1,0,0,1,85,194.5) translate(29.025 17.1)"/><use xlink:href="#g" transform="matrix(1,0,0,1,182,194.5) translate(0 17.1)"/><a xlink:href="https://hub.docker.com/r/curlimages/curl" target="_blank" transform="matrix(1,0,0,1,182,162.5)"><path class="lucid-link lucid-hotspot lucid-overlay-hotspot" fill-opacity="0" d="M0 2.7h120.7v21.6H0z"/></a><path d="M1300 150.33c0-3.3 2.7-6 6-6h28c3.3 0 6 2.7 6 6v8c0 3.32-2.7 6-6 6h-28c-3.3 0-6-2.68-6-6z" stroke="#5e5e5e" stroke-width="3" fill="#c7e8ac"/><path d="M1340 139c0-3.3 2.7-6 6-6h248c3.3 0 6 2.7 6 6v30.67c0 3.3-2.7 6-6 6h-248c-3.3 0-6-2.7-6-6z" stroke="#000" stroke-opacity="0" stroke-width="3" fill="#fff" fill-opacity="0"/><use xlink:href="#h" transform="matrix(1,0,0,1,1345,138.00000000000014) translate(0 21.90277777777778)"/><use xlink:href="#i" transform="matrix(1,0,0,1,1345,138.00000000000014) translate(6.172839506172839 21.90277777777778)"/><path d="M1300 107.67c0-3.32 2.7-6 6-6h28c3.3 0 6 2.68 6 6v8c0 3.3-2.7 6-6 6h-28c-3.3 0-6-2.7-6-6z" stroke="#5e5e5e" stroke-width="3" fill="#ffeca9"/><path d="M1340 86c0-3.3 2.7-6 6-6h248c3.3 0 6 2.7 6 6v51.33c0 3.32-2.7 6-6 6h-248c-3.3 0-6-2.68-6-6z" stroke="#000" stroke-opacity="0" stroke-width="3" fill="#fff" fill-opacity="0"/><use xlink:href="#h" transform="matrix(1,0,0,1,1345,85) translate(0 31.27777777777778)"/><use xlink:href="#j" transform="matrix(1,0,0,1,1345,85) translate(6.172839506172839 31.27777777777778)"/><path d="M242 102.5v15M238 102.5v15" stroke="#5e5e5e" stroke-width="2" fill="none"/><path d="M243 102.53h-2v-1.03h2zM239 102.53h-2v-1.03h2zM243 118.5h-2v-1.03h2zM239 118.5h-2v-1.03h2z" fill="#5e5e5e"/></g><defs><path fill="#333" d="M30-248c118-7 216 8 213 122C240-48 200 0 122 0H30v-248zM63-27c89 8 146-16 146-99s-60-101-146-95v194" id="k"/><path fill="#333" d="M100-194c62-1 85 37 85 99 1 63-27 99-86 99S16-35 15-95c0-66 28-99 85-99zM99-20c44 1 53-31 53-75 0-43-8-75-51-75s-53 32-53 75 10 74 51 75" id="l"/><path fill="#333" d="M96-169c-40 0-48 33-48 73s9 75 48 75c24 0 41-14 43-38l32 2c-6 37-31 61-74 61-59 0-76-41-82-99-10-93 101-131 147-64 4 7 5 14 7 22l-32 3c-4-21-16-35-41-35" id="m"/><path fill="#333" d="M143 0L79-87 56-68V0H24v-261h32v163l83-92h37l-77 82L181 0h-38" id="n"/><path fill="#333" d="M100-194c63 0 86 42 84 106H49c0 40 14 67 53 68 26 1 43-12 49-29l28 8c-11 28-37 45-77 45C44 4 14-33 15-96c1-61 26-98 85-98zm52 81c6-60-76-77-97-28-3 7-6 17-6 28h103" id="o"/><path fill="#333" d="M114-163C36-179 61-72 57 0H25l-1-190h30c1 12-1 29 2 39 6-27 23-49 58-41v29" id="p"/><g id="a"><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,0,0)" xlink:href="#k"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,15.987654320987653,0)" xlink:href="#l"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,28.333333333333332,0)" xlink:href="#m"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,39.44444444444444,0)" xlink:href="#n"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,50.55555555555556,0)" xlink:href="#o"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,62.901234567901234,0)" xlink:href="#p"/></g><path fill="#333" d="M135-143c-3-34-86-38-87 0 15 53 115 12 119 90S17 21 10-45l28-5c4 36 97 45 98 0-10-56-113-15-118-90-4-57 82-63 122-42 12 7 21 19 24 35" id="q"/><path fill="#333" d="M106-169C34-169 62-67 57 0H25v-261h32l-1 103c12-21 28-36 61-36 89 0 53 116 60 194h-32v-121c2-32-8-49-39-48" id="r"/><path fill="#333" d="M141-36C126-15 110 5 73 4 37 3 15-17 15-53c-1-64 63-63 125-63 3-35-9-54-41-54-24 1-41 7-42 31l-33-3c5-37 33-52 76-52 45 0 72 20 72 64v82c-1 20 7 32 28 27v20c-31 9-61-2-59-35zM48-53c0 20 12 33 32 33 41-3 63-29 60-74-43 2-92-5-92 41" id="s"/><path fill="#333" d="M101-251c82-7 93 87 43 132L82-64C71-53 59-42 53-27h129V0H18c2-99 128-94 128-182 0-28-16-43-45-43s-46 15-49 41l-32-3c6-41 34-60 81-64" id="t"/><path fill="#333" d="M54-142c48-35 137-8 131 61C196 18 31 33 14-55l32-4c7 23 22 37 52 37 35-1 51-22 54-58 4-55-73-65-99-34H22l8-134h141v27H59" id="u"/><path fill="#333" d="M110-160c48 1 74 30 74 79 0 53-28 85-80 85-65 0-83-55-86-122-5-90 50-162 133-122 14 7 22 21 27 39l-31 6c-5-40-67-38-82-6-9 19-15 44-15 74 11-20 30-34 60-33zm-7 138c34 0 49-23 49-58s-16-56-50-56c-29 0-50 16-49 49 1 36 15 65 50 65" id="v"/><path fill="#333" d="M33-154v-36h34v36H33zM33 0v-36h34V0H33" id="w"/><path fill="#333" d="M126-127c33 6 58 20 58 59 0 88-139 92-164 29-3-8-5-16-6-25l32-3c6 27 21 44 54 44 32 0 52-15 52-46 0-38-36-46-79-43v-28c39 1 72-4 72-42 0-27-17-43-46-43-28 0-47 15-49 41l-32-3c6-42 35-63 81-64 48-1 79 21 79 65 0 36-21 52-52 59" id="x"/><path fill="#333" d="M101-234c-31-9-42 10-38 44h38v23H63V0H32v-167H5v-23h27c-7-52 17-82 69-68v24" id="y"/><path fill="#333" d="M33 0v-38h34V0H33" id="z"/><g id="b"><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,0,0)" xlink:href="#q"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,11.11111111111111,0)" xlink:href="#r"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,23.45679012345679,0)" xlink:href="#s"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,35.80246913580247,0)" xlink:href="#t"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,48.148148148148145,0)" xlink:href="#u"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,60.49382716049382,0)" xlink:href="#v"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,72.8395061728395,0)" xlink:href="#w"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,79.01234567901234,0)" xlink:href="#x"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,91.35802469135803,0)" xlink:href="#m"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,102.46913580246914,0)" xlink:href="#x"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,114.81481481481482,0)" xlink:href="#y"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,120.55555555555556,0)" xlink:href="#y"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,126.72839506172839,0)" xlink:href="#z"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,132.90123456790124,0)" xlink:href="#z"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,139.07407407407408,0)" xlink:href="#z"/></g><path fill="#333" d="M197 0v-115H63V0H30v-248h33v105h134v-105h34V0h-34" id="A"/><path fill="#333" d="M84 4C-5 8 30-112 23-190h32v120c0 31 7 50 39 49 72-2 45-101 50-169h31l1 190h-30c-1-10 1-25-2-33-11 22-28 36-60 37" id="B"/><path fill="#333" d="M115-194c53 0 69 39 70 98 0 66-23 100-70 100C84 3 66-7 56-30L54 0H23l1-261h32v101c10-23 28-34 59-34zm-8 174c40 0 45-34 45-75 0-40-5-75-45-74-42 0-51 32-51 76 0 43 10 73 51 73" id="C"/><g id="c"><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,0,0)" xlink:href="#k"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,15.987654320987653,0)" xlink:href="#l"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,28.333333333333332,0)" xlink:href="#m"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,39.44444444444444,0)" xlink:href="#n"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,50.55555555555556,0)" xlink:href="#o"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,62.901234567901234,0)" xlink:href="#p"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,70.24691358024691,0)" xlink:href="#A"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,86.23456790123457,0)" xlink:href="#B"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,98.58024691358025,0)" xlink:href="#C"/></g><path fill="#333" d="M233-177c-1 41-23 64-60 70L243 0h-38l-65-103H63V0H30v-248c88 3 205-21 203 71zM63-129c60-2 137 13 137-47 0-61-80-42-137-45v92" id="D"/><path fill="#333" d="M115-194c55 1 70 41 70 98S169 2 115 4C84 4 66-9 55-30l1 105H24l-1-265h31l2 30c10-21 28-34 59-34zm-8 174c40 0 45-34 45-75s-6-73-45-74c-42 0-51 32-51 76 0 43 10 73 51 73" id="E"/><g id="d"><use transform="matrix(0.05,0,0,0.05,0,0)" xlink:href="#D"/><use transform="matrix(0.05,0,0,0.05,12.950000000000001,0)" xlink:href="#o"/><use transform="matrix(0.05,0,0,0.05,22.950000000000003,0)" xlink:href="#E"/><use transform="matrix(0.05,0,0,0.05,32.95,0)" xlink:href="#l"/></g><path fill="#333" d="M24 0v-261h32V0H24" id="F"/><path fill="#333" d="M24-231v-30h32v30H24zM24 0v-190h32V0H24" id="G"/><path fill="#333" d="M210-169c-67 3-38 105-44 169h-31v-121c0-29-5-50-35-48C34-165 62-65 56 0H25l-1-190h30c1 10-1 24 2 32 10-44 99-50 107 0 11-21 27-35 58-36 85-2 47 119 55 194h-31v-121c0-29-5-49-35-48" id="H"/><path fill="#333" d="M177-190C167-65 218 103 67 71c-23-6-38-20-44-43l32-5c15 47 100 32 89-28v-30C133-14 115 1 83 1 29 1 15-40 15-95c0-56 16-97 71-98 29-1 48 16 59 35 1-10 0-23 2-32h30zM94-22c36 0 50-32 50-73 0-42-14-75-50-75-39 0-46 34-46 75s6 73 46 73" id="I"/><path fill="#333" d="M0 4l72-265h28L28 4H0" id="J"/><g id="e"><use transform="matrix(0.05,0,0,0.05,0,0)" xlink:href="#m"/><use transform="matrix(0.05,0,0,0.05,9,0)" xlink:href="#B"/><use transform="matrix(0.05,0,0,0.05,19,0)" xlink:href="#p"/><use transform="matrix(0.05,0,0,0.05,24.95,0)" xlink:href="#F"/><use transform="matrix(0.05,0,0,0.05,28.899999999999995,0)" xlink:href="#G"/><use transform="matrix(0.05,0,0,0.05,32.85,0)" xlink:href="#H"/><use transform="matrix(0.05,0,0,0.05,47.800000000000004,0)" xlink:href="#s"/><use transform="matrix(0.05,0,0,0.05,57.800000000000004,0)" xlink:href="#I"/><use transform="matrix(0.05,0,0,0.05,67.80000000000001,0)" xlink:href="#o"/><use transform="matrix(0.05,0,0,0.05,77.80000000000001,0)" xlink:href="#q"/><use transform="matrix(0.05,0,0,0.05,86.80000000000001,0)" xlink:href="#J"/><use transform="matrix(0.05,0,0,0.05,91.80000000000001,0)" xlink:href="#m"/><use transform="matrix(0.05,0,0,0.05,100.80000000000001,0)" xlink:href="#B"/><use transform="matrix(0.05,0,0,0.05,110.80000000000001,0)" xlink:href="#p"/><use transform="matrix(0.05,0,0,0.05,116.75,0)" xlink:href="#F"/><path fill="#8080ff" d="M-.9 1.25h122.5v1.32H-.9z"/></g><path fill="#333" d="M127-220V0H93v-220H8v-28h204v28h-85" id="K"/><g id="f"><use transform="matrix(0.05,0,0,0.05,0,0)" xlink:href="#K"/><use transform="matrix(0.05,0,0,0.05,8.950000000000001,0)" xlink:href="#s"/><use transform="matrix(0.05,0,0,0.05,18.950000000000003,0)" xlink:href="#I"/></g><path fill="#333" d="M64 0c3-98 48-159 88-221H18v-27h164v26C143-157 98-101 97 0H64" id="L"/><path fill="#333" d="M101-251c68 0 85 55 85 127S166 4 100 4C33 4 14-52 14-124c0-73 17-127 87-127zm-1 229c47 0 54-49 54-102s-4-102-53-102c-51 0-55 48-55 102 0 53 5 102 54 102" id="M"/><g id="g"><use transform="matrix(0.05,0,0,0.05,0,0)" xlink:href="#L"/><use transform="matrix(0.05,0,0,0.05,10,0)" xlink:href="#z"/><use transform="matrix(0.05,0,0,0.05,15,0)" xlink:href="#L"/><use transform="matrix(0.05,0,0,0.05,25,0)" xlink:href="#t"/><use transform="matrix(0.05,0,0,0.05,35,0)" xlink:href="#z"/><use transform="matrix(0.05,0,0,0.05,40,0)" xlink:href="#M"/></g><g id="i"><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,0,0)" xlink:href="#D"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,15.987654320987653,0)" xlink:href="#o"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,28.333333333333332,0)" xlink:href="#q"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,39.44444444444444,0)" xlink:href="#l"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,51.79012345679012,0)" xlink:href="#B"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,64.1358024691358,0)" xlink:href="#p"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,71.48148148148148,0)" xlink:href="#m"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,82.5925925925926,0)" xlink:href="#o"/></g><path fill="#333" d="M205 0l-28-72H64L36 0H1l101-248h38L239 0h-34zm-38-99l-47-123c-12 45-31 82-46 123h93" id="N"/><path fill="#333" d="M59-47c-2 24 18 29 38 22v24C64 9 27 4 27-40v-127H5v-23h24l9-43h21v43h35v23H59v120" id="O"/><g id="j"><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,0,0)" xlink:href="#N"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,14.814814814814813,0)" xlink:href="#p"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,22.160493827160494,0)" xlink:href="#O"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,28.333333333333332,0)" xlink:href="#G"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,33.20987654320987,0)" xlink:href="#y"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,39.382716049382715,0)" xlink:href="#s"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,51.72839506172839,0)" xlink:href="#m"/><use transform="matrix(0.06172839506172839,0,0,0.06172839506172839,62.839506172839506,0)" xlink:href="#O"/></g></defs></g></svg>
\ No newline at end of file
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment