vaultsovereign/vm-cc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vm-cc: make evidence manifest deterministic and JSON-safe

Browse Source
This commit is contained in:
Vault Sovereign
2025-12-27 01:15:00 +00:00
parent c62ff092b7
commit 805a8a4617
1 changed files with 36 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
scripts/vmcc
View File

@@ -24,30 +24,44 @@ hash_file() {
} }
write_manifest() { write_manifest() {
require_cmd jq
local manifest="$EVID_DIR/manifest.json" local manifest="$EVID_DIR/manifest.json"
local ts local ts
ts="$(iso_utc_now)" ts="$(iso_utc_now)"
{
echo "{" if sort -z --version >/dev/null 2>&1; then
echo " \"version\": \"1.0.0\"," find "$EVID_DIR" -type f ! -name "manifest.json" -print0 \
echo " \"collected_at\": \"${ts}\"," | LC_ALL=C sort -z \
echo " \"run_id\": \"${RUN_ID}\"," | while IFS= read -r -d '' file; do
echo " \"files\": ["
local first=1
while IFS= read -r file; do
local rel local rel
rel="${file#$ROOT/}" rel="${file#$ROOT/}"
local sha local sha
sha="$(hash_file "$file")" sha="$(hash_file "$file")"
if [[ $first -eq 0 ]]; then jq -n --arg path "$rel" --arg sha "$sha" '{path:$path, sha256:$sha}'
echo " ," done \
| jq -s --arg ts "$ts" --arg run "$RUN_ID" '{
version: "1.0.0",
collected_at: $ts,
run_id: $run,
files: .
}' > "$manifest"
else
find "$EVID_DIR" -type f ! -name "manifest.json" \
| LC_ALL=C sort \
| while IFS= read -r file; do
local rel
rel="${file#$ROOT/}"
local sha
sha="$(hash_file "$file")"
jq -n --arg path "$rel" --arg sha "$sha" '{path:$path, sha256:$sha}'
done \
| jq -s --arg ts "$ts" --arg run "$RUN_ID" '{
version: "1.0.0",
collected_at: $ts,
run_id: $run,
files: .
}' > "$manifest"
fi fi
first=0
echo " {\"path\": \"${rel}\", \"sha256\": \"${sha}\"}"
done < <(find "$EVID_DIR" -type f ! -name "manifest.json" | sort)
echo " ]"
echo "}"
} > "$manifest"
} }
run_collect() { run_collect() {
@@ -110,9 +124,7 @@ case "$CMD" in
run_collect run_collect
run_evaluate run_evaluate
run_report run_report
require_cmd jq if jq -e -s 'map(select(.passed == false)) | length > 0' "$RULE_DIR"/*.json >/dev/null; then
FAILED_COUNT="$(jq -s '[.[] | select(.passed==false)] | length' "$RULE_DIR"/*.json)"
if [[ "$FAILED_COUNT" -ne 0 ]]; then
exit 3 exit 3
fi fi
;; ;;