Merge pull request #925 from l3montree-dev/903-initial-pipeline-run-build-image-fails-due-to-foreign-key-constraint-violation-related-to-in-toto-links

fixed bug when assetVersion is missing while we try to Create intoto

Author: timbastin

cmd/devguard/api/api.go

@@ -431,7 +431,7 @@ func BuildRouter(db core.DB) *echo.Echo {
 
 	assetVersionController := assetversion.NewAssetVersionController(assetVersionRepository, assetVersionService, dependencyVulnRepository, componentRepository, dependencyVulnService, supplyChainRepository, licenseOverwriteRepository)
 	attestationController := attestation.NewAttestationController(attestationRepository, assetVersionRepository)
-	intotoController := intoto.NewHTTPController(intotoLinkRepository, supplyChainRepository, patRepository, intotoService)
+	intotoController := intoto.NewHTTPController(intotoLinkRepository, supplyChainRepository, assetVersionRepository, patRepository, intotoService)
 	componentController := component.NewHTTPController(componentRepository, assetVersionRepository, licenseOverwriteRepository)
 	complianceController := compliance.NewHTTPController(assetVersionRepository, attestationRepository, policyRepository)
 

internal/core/intoto/intoto_controller.go

@@ -26,27 +26,29 @@ import (
 	"github.com/google/uuid"
 	toto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/l3montree-dev/devguard/internal/core"
+	"github.com/l3montree-dev/devguard/internal/utils"
 
 	"github.com/l3montree-dev/devguard/internal/database/models"
 
 	"github.com/labstack/echo/v4"
 )
 
 type httpController struct {
-	linkRepository        core.InTotoLinkRepository
-	supplyChainRepository core.SupplyChainRepository
-
-	patRepository core.PersonalAccessTokenRepository
+	linkRepository         core.InTotoLinkRepository
+	supplyChainRepository  core.SupplyChainRepository
+	assetVersionRepository core.AssetVersionRepository
+	patRepository          core.PersonalAccessTokenRepository
 
 	inTotoVerifierService core.InTotoVerifierService
 }
 
-func NewHTTPController(repository core.InTotoLinkRepository, supplyChainRepository core.SupplyChainRepository, patRepository core.PersonalAccessTokenRepository, inTotoVerifierService core.InTotoVerifierService) *httpController {
+func NewHTTPController(repository core.InTotoLinkRepository, supplyChainRepository core.SupplyChainRepository, assetVersionRepository core.AssetVersionRepository, patRepository core.PersonalAccessTokenRepository, inTotoVerifierService core.InTotoVerifierService) *httpController {
 	return &httpController{
-		linkRepository:        repository,
-		supplyChainRepository: supplyChainRepository,
-		patRepository:         patRepository,
-		inTotoVerifierService: inTotoVerifierService,
+		linkRepository:         repository,
+		supplyChainRepository:  supplyChainRepository,
+		assetVersionRepository: assetVersionRepository,
+		patRepository:          patRepository,
+		inTotoVerifierService:  inTotoVerifierService,
 	}
 }
 
@@ -130,9 +132,18 @@ func (a *httpController) Create(ctx core.Context) error {
 	}
 
 	asset := core.GetAsset(ctx)
+	tag := ctx.Request().Header.Get("X-Tag")
+	defaultBranch := ctx.Request().Header.Get("X-Asset-Default-Branch")
+	if defaultBranch == "" {
+		defaultBranch = "main"
+	}
+	assetVersion, err := a.assetVersionRepository.FindOrCreate(assetVersionName, asset.ID, tag == "1", utils.EmptyThenNil(defaultBranch))
+	if err != nil {
+		return err
+	}
 
 	link := models.InTotoLink{
-		AssetVersionName: assetVersionName,
+		AssetVersionName: assetVersion.Name,
 		AssetID:          asset.ID,
 		SupplyChainID:    strings.TrimSpace(req.SupplyChainID),
 		Step:             strings.TrimSpace(req.Step),