Include attachments in create-evidence output (#58)

Surface attachment metadata returned by the evidence service in both
JSON (full record incl. download_path) and table (name/sha256/type)
formats of `jf evd create --format ...`, so callers can confirm which
attachment was linked.

The `CreateResponseAttachment` struct mirrors the evidence service
`AttachmentView` schema 1:1, so the response body unmarshals directly
without any client-side transformation.

Author: mnsboev

evidence/cli/command/command_cli.go

@@ -598,7 +598,43 @@ func printCreateEvidenceTable(w io.Writer, responses []*model.CreateResponse) er
 				t.AppendRow(table.Row{field.key, val})
 			}
 		}
+		for _, row := range attachmentTableRows(r.Attachments) {
+			t.AppendRow(row)
+		}
 		t.Render()
 	}
 	return nil
 }
+
+// attachmentTableRows builds FIELD/VALUE rows for an attachments slice.
+// Single attachment uses "attachment.<field>", multiple use "attachments[i].<field>".
+// download_path is intentionally omitted from table output (too long to render
+// without distorting the layout); it is still emitted in JSON output.
+func attachmentTableRows(attachments []model.CreateResponseAttachment) []table.Row {
+	if len(attachments) == 0 {
+		return nil
+	}
+	fields := []struct {
+		key   string
+		value func(model.CreateResponseAttachment) string
+	}{
+		{"name", func(a model.CreateResponseAttachment) string { return a.Name }},
+		{"sha256", func(a model.CreateResponseAttachment) string { return a.Sha256 }},
+		{"type", func(a model.CreateResponseAttachment) string { return a.Type }},
+	}
+	var rows []table.Row
+	for i, att := range attachments {
+		prefix := "attachment"
+		if len(attachments) > 1 {
+			prefix = fmt.Sprintf("attachments[%d]", i)
+		}
+		for _, f := range fields {
+			val := f.value(att)
+			if val == "" {
+				continue
+			}
+			rows = append(rows, table.Row{fmt.Sprintf("%s.%s", prefix, f.key), val})
+		}
+	}
+	return rows
+}

evidence/cli/command/command_cli_test.go

@@ -1014,3 +1014,123 @@ func TestPrintCreateEvidenceResponse_UnsupportedFormat(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "unsupported format")
 }
+
+func TestPrintCreateEvidenceResponse_JSON_WithAttachment(t *testing.T) {
+	var buf bytes.Buffer
+	r := sampleResponse()
+	r.Attachments = []model.CreateResponseAttachment{{
+		Name:         "scan.txt",
+		Sha256:       "att-sha-1",
+		Type:         "text/plain",
+		DownloadPath: "my-repo/.evidence/abc/scan.txt",
+	}}
+
+	err := printCreateEvidenceResponse(&buf, format.Json, []*model.CreateResponse{r})
+	assert.NoError(t, err)
+
+	expected := `{
+		"repository": "my-repo",
+		"path": "com/example",
+		"name": "artifact-1.0.jar",
+		"uri": "https://example.jfrog.io/my-repo/com/example/artifact-1.0.jar",
+		"sha256": "abc123def456",
+		"predicate_category": "SPDX",
+		"predicate_type": "https://in-toto.io/attestation/vulns",
+		"predicate_slug": "vulns",
+		"created_at": "2024-01-15T10:30:00Z",
+		"created_by": "ci-user",
+		"verified": true,
+		"provider_id": "jfrog",
+		"attachments": [
+			{
+				"name": "scan.txt",
+				"sha256": "att-sha-1",
+				"type": "text/plain",
+				"download_path": "my-repo/.evidence/abc/scan.txt"
+			}
+		]
+	}`
+	assert.JSONEq(t, expected, buf.String())
+}
+
+func TestPrintCreateEvidenceResponse_JSON_AttachmentsOmittedWhenEmpty(t *testing.T) {
+	var buf bytes.Buffer
+	r := sampleResponse()
+
+	err := printCreateEvidenceResponse(&buf, format.Json, []*model.CreateResponse{r})
+	assert.NoError(t, err)
+	assert.NotContains(t, buf.String(), "attachments")
+}
+
+func TestPrintCreateEvidenceResponse_Table_SingleAttachment(t *testing.T) {
+	var buf bytes.Buffer
+	r := sampleResponse()
+	r.Attachments = []model.CreateResponseAttachment{{
+		Name:         "scan.txt",
+		Sha256:       "att-sha-1",
+		Type:         "text/plain",
+		DownloadPath: "my-repo/.evidence/abc/scan.txt",
+	}}
+
+	err := printCreateEvidenceResponse(&buf, format.Table, []*model.CreateResponse{r})
+	assert.NoError(t, err)
+
+	out := buf.String()
+	assert.Contains(t, out, "attachment.name")
+	assert.Contains(t, out, "scan.txt")
+	assert.Contains(t, out, "attachment.sha256")
+	assert.Contains(t, out, "att-sha-1")
+	assert.Contains(t, out, "attachment.type")
+	assert.Contains(t, out, "text/plain")
+	// download_path is JSON-only; it must not appear in the table output.
+	assert.NotContains(t, out, "download_path")
+	assert.NotContains(t, out, "my-repo/.evidence/abc/scan.txt")
+}
+
+func TestPrintCreateEvidenceResponse_Table_SingleAttachment_OmitsEmptyFields(t *testing.T) {
+	var buf bytes.Buffer
+	r := sampleResponse()
+	r.Attachments = []model.CreateResponseAttachment{{
+		Name:   "scan.txt",
+		Sha256: "att-sha-1",
+	}}
+
+	err := printCreateEvidenceResponse(&buf, format.Table, []*model.CreateResponse{r})
+	assert.NoError(t, err)
+
+	out := buf.String()
+	assert.Contains(t, out, "attachment.name")
+	assert.Contains(t, out, "attachment.sha256")
+	assert.NotContains(t, out, "attachment.type")
+}
+
+func TestPrintCreateEvidenceResponse_Table_MultipleAttachments(t *testing.T) {
+	var buf bytes.Buffer
+	r := sampleResponse()
+	r.Attachments = []model.CreateResponseAttachment{
+		{Name: "a.txt", Sha256: "sha-a"},
+		{Name: "b.txt", Sha256: "sha-b"},
+	}
+
+	err := printCreateEvidenceResponse(&buf, format.Table, []*model.CreateResponse{r})
+	assert.NoError(t, err)
+
+	out := buf.String()
+	assert.Contains(t, out, "attachments[0].name")
+	assert.Contains(t, out, "sha-a")
+	assert.Contains(t, out, "attachments[1].name")
+	assert.Contains(t, out, "sha-b")
+	assert.NotContains(t, out, "attachment.name")
+}
+
+func TestPrintCreateEvidenceResponse_Table_NoAttachmentRowsWhenAbsent(t *testing.T) {
+	var buf bytes.Buffer
+	r := sampleResponse()
+
+	err := printCreateEvidenceResponse(&buf, format.Table, []*model.CreateResponse{r})
+	assert.NoError(t, err)
+
+	out := buf.String()
+	assert.NotContains(t, out, "attachment.")
+	assert.NotContains(t, out, "attachments[")
+}

evidence/create/create_base_test.go

@@ -477,6 +477,59 @@ func TestUploadEvidence_Error(t *testing.T) {
 	assert.Error(t, err)
 }
 
+type uploaderReturningServerAttachments struct {
+	last evdservices.EvidenceDetails
+}
+
+func (u *uploaderReturningServerAttachments) UploadEvidence(d evdservices.EvidenceDetails) ([]byte, error) {
+	u.last = d
+	resp := model.CreateResponse{
+		Verified: true,
+		Attachments: []model.CreateResponseAttachment{{
+			Name:         "scan.txt",
+			Sha256:       "server-sha",
+			Type:         "text/plain",
+			DownloadPath: "subject-repo/.evidence/xyz/scan.txt",
+		}},
+	}
+	return json.Marshal(resp)
+}
+
+func TestUploadEvidence_UsesServerAttachmentsWhenPresent(t *testing.T) {
+	upl := &uploaderReturningServerAttachments{}
+	c := &createEvidenceBase{uploader: upl}
+
+	att := &statementAttachment{
+		Repository: "attachments-repo",
+		Path:       "reports/scan.txt",
+		Sha256:     "local-sha",
+		Name:       "scan.txt",
+		Type:       "text/plain",
+	}
+
+	wrappedPayload, err := c.wrapCreatePayloadWithAttachments([]byte(`{"payloadType":"x","payload":"y","signatures":[]}`), att)
+	assert.NoError(t, err)
+	resp, err := c.uploadEvidence(wrappedPayload, "r/p", att)
+	assert.NoError(t, err)
+	assert.Len(t, resp.Attachments, 1)
+	assert.Equal(t, "scan.txt", resp.Attachments[0].Name)
+	assert.Equal(t, "server-sha", resp.Attachments[0].Sha256)
+	assert.Equal(t, "text/plain", resp.Attachments[0].Type)
+	assert.Equal(t, "subject-repo/.evidence/xyz/scan.txt", resp.Attachments[0].DownloadPath)
+	assert.Len(t, upl.last.Attachments, 1)
+	assert.Equal(t, "attachments-repo", upl.last.Attachments[0].Repository)
+	assert.Equal(t, "reports/scan.txt", upl.last.Attachments[0].Path)
+}
+
+func TestUploadEvidence_NoAttachmentLeavesAttachmentsNil(t *testing.T) {
+	upl := &captureUploader{}
+	c := &createEvidenceBase{uploader: upl}
+	resp, err := c.uploadEvidence([]byte(`{"payloadType":"x","payload":"y","signatures":[]}`), "r/p", nil)
+	assert.NoError(t, err)
+	assert.Nil(t, resp.Attachments)
+	assert.Empty(t, upl.last.Attachments)
+}
+
 func TestUploadEvidence_InvalidJSON(t *testing.T) {
 	u := &invalidJSONUploader{}
 	c := &createEvidenceBase{uploader: u}

evidence/model/create.go

@@ -1,16 +1,25 @@
 package model
 
 type CreateResponse struct {
-	Repository        string `json:"repository"`
-	Path              string `json:"path"`
-	Name              string `json:"name"`
-	Uri               string `json:"uri"`
-	Sha256            string `json:"sha256"`
-	PredicateCategory string `json:"predicate_category"`
-	PredicateType     string `json:"predicate_type"`
-	PredicateSlug     string `json:"predicate_slug"`
-	CreatedAt         string `json:"created_at"`
-	CreatedBy         string `json:"created_by"`
-	Verified          bool   `json:"verified"`
-	ProviderId        string `json:"provider_id"`
+	Repository        string                     `json:"repository"`
+	Path              string                     `json:"path"`
+	Name              string                     `json:"name"`
+	Uri               string                     `json:"uri"`
+	Sha256            string                     `json:"sha256"`
+	PredicateCategory string                     `json:"predicate_category"`
+	PredicateType     string                     `json:"predicate_type"`
+	PredicateSlug     string                     `json:"predicate_slug"`
+	CreatedAt         string                     `json:"created_at"`
+	CreatedBy         string                     `json:"created_by"`
+	Verified          bool                       `json:"verified"`
+	ProviderId        string                     `json:"provider_id"`
+	Attachments       []CreateResponseAttachment `json:"attachments,omitempty"`
+}
+
+// CreateResponseAttachment mirrors the evidence service AttachmentView schema.
+type CreateResponseAttachment struct {
+	Name         string `json:"name,omitempty"`
+	Sha256       string `json:"sha256,omitempty"`
+	Type         string `json:"type,omitempty"`
+	DownloadPath string `json:"download_path,omitempty"`
 }