provenance: fix possible empty digest access

[jedevc]

🛠️ Fixes docker/buildx#1836.

panic: no ':' separator in digest ""
goroutine 4749 [running]:
github.com/docker/docker/vendor/github.com/opencontainers/go-digest.Digest.sepIndex({0x0, 0x0})
        /go/src/github.com/docker/docker/vendor/github.com/opencontainers/go-digest/digest.go:153 +0x9a
github.com/docker/docker/vendor/github.com/opencontainers/go-digest.Digest.Algorithm(...)
        /go/src/github.com/docker/docker/vendor/github.com/opencontainers/go-digest/digest.go:122
github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver/provenance.slsaMaterials({{0xc001df0500, 0x3, 0x3}, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0}, {0x0, ...}, ...})
        /go/src/github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go:70 +0x16b
github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver/provenance.NewPredicate(0xc001280c30)
        /go/src/github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go:137 +0xa5
github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver.NewProvenanceCreator({0x55ebdba328f8, 0xc0009b42d0}, 0x0?, {0x55ebdba36600, 0xc000ff5820}, 0x55ebda1d45dc?, 0xc00065a000)
        /go/src/github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver/provenance.go:397 +0x3d0
github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver.(*Solver).recordBuildHistory.func1.1({0x55ebdba36600?, 0xc000ff5820?}, 0x0?)
        /go/src/github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go:203 +0xb1
github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver.(*Solver).recordBuildHistory.func1.2()
        /go/src/github.com/docker/docker/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go:245 +0x54
github.com/docker/docker/vendor/golang.org/x/sync/errgroup.(*Group).Go.func1()
        /go/src/github.com/docker/docker/vendor/golang.org/x/sync/errgroup/errgroup.go:75 +0x64
created by github.com/docker/docker/vendor/golang.org/x/sync/errgroup.(*Group).Go
        /go/src/github.com/docker/docker/vendor/golang.org/x/sync/errgroup/errgroup.go:72 +0xa5

If the digest for an ImageSource is the empty string, then calling Digest.Algorithm will panic at runtime.

This scenario can happen if ResolveImageConfig returns an empty digest, but correctly returns a config object. This doesn't occur in buildkit directly, however, buildkit-in-moby implements a custom worker which also performs image lookups on local images, in which case the digest for the index may not be available (though this may be possible with the containerd image store?).

Therefore, we shouldn't assume that the digest is always available in buildkit, and should instead check that is valid before inserting it into the digest set (which is already an optional map).

[thaJeztah]

This scenario can happen if ResolveImageConfig returns an empty digest, but correctly returns a config object.

Ah, I guess this would happen when using a local image (that hasn't been pulled/pushed to/from a registry?)

[jedevc]

Ah, I guess this would happen when using a local image (that hasn't been pulled/pushed to/from a registry?)

Exactly that, yup. The relevant line in moby: https://github.com/moby/moby/blob/1d68544fbfadc9807d1ddef74bb74726ae5ae63d/builder/builder-next/adapters/containerimage/pull.go#L155.

I do wonder if we could potentially sometimes still have that digest if we were using the containerd image store? But that's only tangentially related to this issue.

[thaJeztah]

Should we have a test for this? (😅 looks like the package currently doesn't have any though 😬)

[jedevc]

We do have tests for provenance but they're in client_test.go.

Writing a test for this is turning into a much more exciting exercise than I wanted it to be, for some reason I can't seem to reproduce any calls to ResolveImageConfig when the image exists locally, which is probably me doing something very wrong.

Anyways, I don't think we need to block on a test, unless someone else has a much easier way to reproduce 😢

[thaJeztah]

LGTM

yeah, not blocking on that