chore: add base64 encode and decode functions for in-toto attestation…

… payload

scripts/dev_scripts/copyright-checker.sh

@@ -1,12 +1,39 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 #
 # Checks if copyright header is valid.
 #
 
+
+# Get the existing start year of a file, by checking if there is already a copyright
+# notice line and capturing the start year.
+#
+# Arguments:
+#   $1: The file to get the start year.
+# Outputs:
+#   STDOUT: The start year if it exists; empty string otherwise.
+get_existing_start_year() {
+  file="$1"
+  copyright_line=$(grep -i -e "Copyright (c) [0-9]* - [0-9]*, Oracle and/or its affiliates. All rights reserved." "$file")
+
+  # Use bash regex matching to get the start year with a capture group.
+  # Grep is not used since it does not have support for capture groups.
+  # Reference: https://stackoverflow.com/questions/1891797/capturing-groups-from-a-grep-regex
+  capture_pattern="Copyright \(c\) ([0-9]*) - [0-9]*, Oracle and/or its affiliates. All rights reserved."
+
+  if [[ $copyright_line =~ $capture_pattern ]]
+  then
+      year="${BASH_REMATCH[1]}"
+      echo "$year"
+  else
+      echo ""
+  fi
+}
+
+
 files=$(git diff --cached --name-only)
 currentyear=$(date +"%Y")
 missing_copyright_files=()
@@ -17,11 +44,7 @@ for f in $files; do
     if [ ! -f "$f" ]; then
         continue
     fi
-    startyear=$(git log --format=%ad --date=format:%Y "$f" | tail -1)
-    if [[ -z "${startyear// }" ]]; then
-        startyear=$currentyear
-    fi
-    if ! grep -i -e "Copyright (c) $startyear - $currentyear, Oracle and/or its affiliates. All rights reserved." "$f" 1>/dev/null;then
+    if ! grep -i -e "Copyright (c) [0-9]* - $currentyear, Oracle and/or its affiliates. All rights reserved." "$f" 1>/dev/null;then
         if [[ $f =~ .*\.(js$|py$|java$|tf$|go$|sh$|dl$|yaml$|yml$|gradle$|kts$|ini$|toml$) ]] || [[ "${f##*/}" = "Dockerfile" ]] \
             || [[ "${f##*/}" = "Makefile" ]] || [[ "${f##*/}" = "Jenkinsfile" ]];then
           missing_copyright_files+=("$f")
@@ -38,7 +61,7 @@ if [ ${#missing_copyright_files[@]} -ne 0 ]; then
             exit 1
         fi
         missing_license_note=$(grep -i "$license_note" "$f")
-        startyear=$(git log --format=%ad --date=format:%Y "$f" | tail -1)
+        startyear=$(get_existing_start_year "$f")
         if [[ -z "${startyear// }" ]]; then
             startyear=$currentyear
         fi

src/macaron/slsa_analyzer/provenance/intoto/__init__.py → src/macaron/intoto/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """In-toto provenance schemas and validation."""
@@ -8,8 +8,8 @@
 from collections.abc import Mapping
 from typing import NamedTuple, TypeVar
 
-from macaron.slsa_analyzer.provenance.intoto import v01, v1
-from macaron.slsa_analyzer.provenance.intoto.errors import ValidateInTotoPayloadError
+from macaron.intoto import v01, v1
+from macaron.intoto.errors import ValidateInTotoPayloadError
 from macaron.util import JsonType
 
 # Type of an in-toto statement.

src/macaron/intoto/encoder_decoder.py

@@ -0,0 +1,68 @@
+# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""Functions to base64 encode/decode the in-toto attestation payload."""
+
+import base64
+import json
+
+from macaron.intoto.errors import DecodeIntotoAttestationError
+from macaron.util import JsonType
+
+
+def encode_payload(payload: dict[str, JsonType]) -> str:
+    """Encode (base64 encoding) the payload of an in-toto attestation.
+
+    For more details about the payload field, see:
+        https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md#fields.
+
+    Parameters
+    ----------
+    payload : dict
+        The unencoded payload.
+
+    Returns
+    -------
+    str
+        The encoded payload.
+    """
+    return base64.b64encode(json.dumps(payload).encode()).decode("ascii")
+
+
+def decode_payload(encoded_payload: str) -> dict:
+    """Decode (base64 decoding) the payload of an in-toto attestation.
+
+    For more details about the payload field, see:
+        https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md#fields.
+
+    Parameters
+    ----------
+    encoded_payload : str
+        The encoded payload.
+
+    Returns
+    -------
+    dict
+        The decoded payload.
+
+    Raises
+    ------
+    DecodeIntotoAttestationError
+        If there is an error decoding the payload of an in-toto attestation.
+    """
+    try:
+        decoded_string = base64.b64decode(encoded_payload)
+    except UnicodeDecodeError as error:
+        raise DecodeIntotoAttestationError("Cannot base64-decode the attestation payload.") from error
+
+    try:
+        json_payload = json.loads(decoded_string)
+    except (json.JSONDecodeError, TypeError) as error:
+        raise DecodeIntotoAttestationError(
+            "Cannot deserialize the attestation payload as JSON.",
+        ) from error
+
+    if not isinstance(json_payload, dict):
+        raise DecodeIntotoAttestationError("The provenance payload is not a JSON object.")
+
+    return json_payload

src/macaron/slsa_analyzer/provenance/intoto/errors.py → src/macaron/intoto/errors.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """Error types related to in-toto attestations."""
@@ -15,8 +15,12 @@ class ValidateInTotoPayloadError(InTotoAttestationError):
 
 
 class UnsupportedInTotoVersionError(InTotoAttestationError):
-    """Happens when encountering a provenance under an unsupported in-toto version."""
+    """Happens when encountering an attestation under an unsupported in-toto version."""
+
+
+class DecodeIntotoAttestationError(InTotoAttestationError):
+    """Happens when there is an issue decoding the payload of an in-toto attestation."""
 
 
 class LoadIntotoAttestationError(InTotoAttestationError):
-    """Happens when there is an issue decoding and loading the payload of an in-toto provenance."""
+    """Happens when there is an issue loading the payload of an in-toto attestation."""

src/macaron/slsa_analyzer/provenance/intoto/v01/__init__.py → src/macaron/intoto/v01/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module handles in-toto version 0.1 attestations."""
@@ -7,7 +7,7 @@
 
 from typing import TypedDict, TypeGuard
 
-from macaron.slsa_analyzer.provenance.intoto.errors import ValidateInTotoPayloadError
+from macaron.intoto.errors import ValidateInTotoPayloadError
 from macaron.util import JsonType
 
 

src/macaron/slsa_analyzer/provenance/intoto/v1/__init__.py → src/macaron/intoto/v1/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module handles in-toto version version 1 attestations."""

src/macaron/slsa_analyzer/analyze_context.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the Analyze Context class.
@@ -12,13 +12,13 @@
 from typing import TypedDict
 
 from macaron.database.table_definitions import Component, SLSALevel
+from macaron.intoto.v01 import InTotoV01Statement
+from macaron.intoto.v1 import InTotoV1Statement
 from macaron.slsa_analyzer.checks.check_result import CheckResult, CheckResultType
 from macaron.slsa_analyzer.git_service import BaseGitService
 from macaron.slsa_analyzer.git_service.base_git_service import NoneGitService
 from macaron.slsa_analyzer.levels import SLSALevels
 from macaron.slsa_analyzer.provenance.expectations.expectation import Expectation
-from macaron.slsa_analyzer.provenance.intoto.v01 import InTotoV01Statement
-from macaron.slsa_analyzer.provenance.intoto.v1 import InTotoV1Statement
 from macaron.slsa_analyzer.slsa_req import ReqName, SLSAReqStatus, create_requirement_status_dict
 from macaron.slsa_analyzer.specs.build_spec import BuildSpec
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo

src/macaron/slsa_analyzer/analyzer.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module handles the cloning and analyzing a Git repo."""
@@ -23,6 +23,7 @@
 from macaron.database.table_definitions import Analysis, Component, Repository
 from macaron.dependency_analyzer import DependencyAnalyzer, DependencyInfo
 from macaron.errors import CloneError, DuplicateError, InvalidPURLError, PURLNotFoundError, RepoCheckOutError
+from macaron.intoto import InTotoV01Payload
 from macaron.output_reporter.reporter import FileReporter
 from macaron.output_reporter.results import Record, Report, SCMStatus
 from macaron.repo_finder import repo_finder
@@ -39,7 +40,6 @@
 from macaron.slsa_analyzer.git_service.base_git_service import NoneGitService
 from macaron.slsa_analyzer.package_registry import PACKAGE_REGISTRIES
 from macaron.slsa_analyzer.provenance.expectations.expectation_registry import ExpectationRegistry
-from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo
 from macaron.slsa_analyzer.specs.inferred_provenance import Provenance

src/macaron/slsa_analyzer/checks/build_as_code_check.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the BuildAsCodeCheck class."""
@@ -12,6 +12,7 @@
 from sqlalchemy.sql.sqltypes import String
 
 from macaron.database.table_definitions import CheckFacts
+from macaron.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool
 from macaron.slsa_analyzer.checks.base_check import BaseCheck
@@ -22,7 +23,6 @@
 from macaron.slsa_analyzer.ci_service.gitlab_ci import GitLabCI
 from macaron.slsa_analyzer.ci_service.jenkins import Jenkins
 from macaron.slsa_analyzer.ci_service.travis import Travis
-from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.slsa_req import ReqName
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo

src/macaron/slsa_analyzer/checks/build_service_check.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the BuildServiceCheck class."""
@@ -12,6 +12,7 @@
 from sqlalchemy.sql.sqltypes import String
 
 from macaron.database.table_definitions import CheckFacts
+from macaron.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool
 from macaron.slsa_analyzer.checks.base_check import BaseCheck
@@ -21,7 +22,6 @@
 from macaron.slsa_analyzer.ci_service.gitlab_ci import GitLabCI
 from macaron.slsa_analyzer.ci_service.jenkins import Jenkins
 from macaron.slsa_analyzer.ci_service.travis import Travis
-from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.slsa_req import ReqName
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo

src/macaron/slsa_analyzer/checks/infer_artifact_pipeline_check.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the InferArtifactPipelineCheck class to check if an artifact is published from a pipeline automatically."""
@@ -12,14 +12,14 @@
 from macaron.config.defaults import defaults
 from macaron.database.table_definitions import CheckFacts
 from macaron.errors import InvalidHTTPResponseError
+from macaron.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.build_tool.gradle import Gradle
 from macaron.slsa_analyzer.build_tool.maven import Maven
 from macaron.slsa_analyzer.checks.base_check import BaseCheck
 from macaron.slsa_analyzer.checks.check_result import CheckResultData, CheckResultType, Justification, ResultTables
 from macaron.slsa_analyzer.ci_service.base_ci_service import NoneCIService
 from macaron.slsa_analyzer.package_registry.maven_central_registry import MavenCentralRegistry
-from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.slsa_req import ReqName
 from macaron.slsa_analyzer.specs.package_registry_spec import PackageRegistryInfo

src/macaron/slsa_analyzer/checks/provenance_available_check.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the implementation of the Provenance Available check."""
@@ -15,6 +15,7 @@
 from macaron.config.defaults import defaults
 from macaron.database.table_definitions import CheckFacts, Component
 from macaron.errors import MacaronError
+from macaron.intoto import InTotoPayload
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.asset import AssetLocator
 from macaron.slsa_analyzer.build_tool.gradle import Gradle
@@ -27,7 +28,6 @@
 from macaron.slsa_analyzer.package_registry import JFrogMavenRegistry
 from macaron.slsa_analyzer.package_registry.jfrog_maven_registry import JFrogMavenAsset
 from macaron.slsa_analyzer.package_registry.npm_registry import NPMAttestationAsset, NPMRegistry
-from macaron.slsa_analyzer.provenance.intoto import InTotoPayload
 from macaron.slsa_analyzer.provenance.loader import LoadIntotoAttestationError, load_provenance_payload
 from macaron.slsa_analyzer.provenance.slsa import SLSAProvenanceData
 from macaron.slsa_analyzer.provenance.witness import (

src/macaron/slsa_analyzer/checks/provenance_l3_check.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This modules implements a check to verify a target repo has intoto provenance level 3."""
@@ -23,14 +23,14 @@
 from macaron.config.defaults import defaults
 from macaron.config.global_config import global_config
 from macaron.database.table_definitions import CheckFacts, HashDigest, Provenance, ReleaseArtifact
+from macaron.intoto import InTotoV01Payload, v01
+from macaron.intoto.errors import InTotoAttestationError, UnsupportedInTotoVersionError
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.asset import AssetLocator
 from macaron.slsa_analyzer.checks.base_check import BaseCheck
 from macaron.slsa_analyzer.checks.check_result import CheckResultData, CheckResultType, Justification, ResultTables
 from macaron.slsa_analyzer.ci_service.base_ci_service import BaseCIService, NoneCIService
 from macaron.slsa_analyzer.git_url import get_repo_dir_name
-from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload, v01
-from macaron.slsa_analyzer.provenance.intoto.errors import InTotoAttestationError, UnsupportedInTotoVersionError
 from macaron.slsa_analyzer.provenance.loader import load_provenance_payload
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.slsa_req import ReqName

src/macaron/slsa_analyzer/checks/trusted_builder_l3_check.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
@@ -14,11 +14,11 @@
 
 from macaron.config.defaults import defaults
 from macaron.database.table_definitions import CheckFacts
+from macaron.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.checks.base_check import BaseCheck
 from macaron.slsa_analyzer.checks.check_result import CheckResultData, CheckResultType, Justification, ResultTables
 from macaron.slsa_analyzer.ci_service.github_actions import GHWorkflowType, GitHubActions
-from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.slsa_req import ReqName
 from macaron.slsa_analyzer.specs.inferred_provenance import Provenance

src/macaron/slsa_analyzer/provenance/expectations/expectation.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module provides a base class for provenance expectation verifiers."""
@@ -9,7 +9,7 @@
 from sqlalchemy.orm import Mapped, mapped_column
 
 from macaron.errors import ExpectationRuntimeError
-from macaron.slsa_analyzer.provenance.intoto import InTotoPayload
+from macaron.intoto import InTotoPayload
 
 ExpectationFn = Callable[[Any], bool]