vm-cc: make evidence manifest deterministic and JSON-safe

2025-12-27 01:15:00 +00:00
parent c62ff092b7
commit 805a8a4617
1 changed files with 36 additions and 24 deletions
--- a/scripts/vmcc
+++ b/scripts/vmcc
@@ -24,30 +24,44 @@ hash_file() {
 }

 write_manifest() {
+  require_cmd jq
  local manifest="$EVID_DIR/manifest.json"
  local ts
  ts="$(iso_utc_now)"
-  {
-    echo "{"
-    echo "  \"version\": \"1.0.0\","
-    echo "  \"collected_at\": \"${ts}\","
-    echo "  \"run_id\": \"${RUN_ID}\","
-    echo "  \"files\": ["
-    local first=1
-    while IFS= read -r file; do
-      local rel
-      rel="${file#$ROOT/}"
-      local sha
-      sha="$(hash_file "$file")"
-      if [[ $first -eq 0 ]]; then
-        echo "    ,"
-      fi
-      first=0
-      echo "    {\"path\": \"${rel}\", \"sha256\": \"${sha}\"}"
-    done < <(find "$EVID_DIR" -type f ! -name "manifest.json" | sort)
-    echo "  ]"
-    echo "}"
-  } > "$manifest"
+
+  if sort -z --version >/dev/null 2>&1; then
+    find "$EVID_DIR" -type f ! -name "manifest.json" -print0 \
+      | LC_ALL=C sort -z \
+      | while IFS= read -r -d '' file; do
+          local rel
+          rel="${file#$ROOT/}"
+          local sha
+          sha="$(hash_file "$file")"
+          jq -n --arg path "$rel" --arg sha "$sha" '{path:$path, sha256:$sha}'
+        done \
+      | jq -s --arg ts "$ts" --arg run "$RUN_ID" '{
+          version: "1.0.0",
+          collected_at: $ts,
+          run_id: $run,
+          files: .
+        }' > "$manifest"
+  else
+    find "$EVID_DIR" -type f ! -name "manifest.json" \
+      | LC_ALL=C sort \
+      | while IFS= read -r file; do
+          local rel
+          rel="${file#$ROOT/}"
+          local sha
+          sha="$(hash_file "$file")"
+          jq -n --arg path "$rel" --arg sha "$sha" '{path:$path, sha256:$sha}'
+        done \
+      | jq -s --arg ts "$ts" --arg run "$RUN_ID" '{
+          version: "1.0.0",
+          collected_at: $ts,
+          run_id: $run,
+          files: .
+        }' > "$manifest"
+  fi
 }

 run_collect() {
@@ -110,9 +124,7 @@ case "$CMD" in
    run_collect
    run_evaluate
    run_report
-    require_cmd jq
-    FAILED_COUNT="$(jq -s '[.[] | select(.passed==false)] | length' "$RULE_DIR"/*.json)"
-    if [[ "$FAILED_COUNT" -ne 0 ]]; then
+    if jq -e -s 'map(select(.passed == false)) | length > 0' "$RULE_DIR"/*.json >/dev/null; then
      exit 3
    fi
    ;;