oracle · nathanwn · Jan 3, 2024 · Jan 3, 2024
@@ -0,0 +1,35 @@
+macaron.intoto package
+======================
+
+.. automodule:: macaron.intoto
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+Subpackages
+-----------
+
+.. toctree::
+   :maxdepth: 1
+
+   macaron.intoto.v01
+   macaron.intoto.v1
+
+Submodules
+----------
+
+macaron.intoto.encoder\_decoder module
+--------------------------------------
+
+.. automodule:: macaron.intoto.encoder_decoder
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+macaron.intoto.errors module
+----------------------------
+
+.. automodule:: macaron.intoto.errors
+   :members:
+   :undoc-members:
+   :show-inheritance:
@@ -0,0 +1,7 @@
+macaron.intoto.v01 package
+==========================
+
+.. automodule:: macaron.intoto.v01
+   :members:
+   :undoc-members:
+   :show-inheritance:
@@ -0,0 +1,7 @@
+macaron.intoto.v1 package
+=========================
+
+.. automodule:: macaron.intoto.v1
+   :members:
+   :undoc-members:
+   :show-inheritance:
@@ -16,6 +16,7 @@ Subpackages
    macaron.config
    macaron.database
    macaron.dependency_analyzer
+   macaron.intoto
    macaron.output_reporter
    macaron.parsers
    macaron.policy_engine

@@ -13,7 +13,6 @@ Subpackages
    :maxdepth: 1
 
    macaron.slsa_analyzer.provenance.expectations
-   macaron.slsa_analyzer.provenance.intoto
    macaron.slsa_analyzer.provenance.slsa
    macaron.slsa_analyzer.provenance.witness
 

@@ -1,12 +1,39 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 #
 # Checks if copyright header is valid.
 #
 
+
+# Get the existing start year of a file, by checking if there is already a copyright
+# notice line and capturing the start year.
+#
+# Arguments:
+#   $1: The file to get the start year.
+# Outputs:
+#   STDOUT: The start year if it exists; empty string otherwise.
+get_existing_start_year() {
+  file="$1"
+  copyright_line=$(grep -i -e "Copyright (c) [0-9]* - [0-9]*, Oracle and/or its affiliates. All rights reserved." "$file")
+
+  # Use bash regex matching to get the start year with a capture group.
+  # Grep is not used since it does not have support for capture groups.
+  # Reference: https://stackoverflow.com/questions/1891797/capturing-groups-from-a-grep-regex
+  capture_pattern="Copyright \(c\) ([0-9]*) - [0-9]*, Oracle and/or its affiliates. All rights reserved."
+
+  if [[ $copyright_line =~ $capture_pattern ]]
+  then
+      year="${BASH_REMATCH[1]}"
+      echo "$year"
+  else
+      echo ""
+  fi
+}
+
+
 files=$(git diff --cached --name-only)
 currentyear=$(date +"%Y")
 missing_copyright_files=()
@@ -17,11 +44,7 @@ for f in $files; do
     if [ ! -f "$f" ]; then
         continue
     fi
-    startyear=$(git log --format=%ad --date=format:%Y "$f" | tail -1)
-    if [[ -z "${startyear// }" ]]; then
-        startyear=$currentyear
-    fi
-    if ! grep -i -e "Copyright (c) $startyear - $currentyear, Oracle and/or its affiliates. All rights reserved." "$f" 1>/dev/null;then
+    if ! grep -i -e "Copyright (c) [0-9]* - $currentyear, Oracle and/or its affiliates. All rights reserved." "$f" 1>/dev/null;then
         if [[ $f =~ .*\.(js$|py$|java$|tf$|go$|sh$|dl$|yaml$|yml$|gradle$|kts$|ini$|toml$) ]] || [[ "${f##*/}" = "Dockerfile" ]] \
             || [[ "${f##*/}" = "Makefile" ]] || [[ "${f##*/}" = "Jenkinsfile" ]];then
           missing_copyright_files+=("$f")
@@ -38,7 +61,7 @@ if [ ${#missing_copyright_files[@]} -ne 0 ]; then
             exit 1
         fi
         missing_license_note=$(grep -i "$license_note" "$f")
-        startyear=$(git log --format=%ad --date=format:%Y "$f" | tail -1)
+        startyear=$(get_existing_start_year "$f")
         if [[ -z "${startyear// }" ]]; then
             startyear=$currentyear
         fi

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """In-toto provenance schemas and validation."""
@@ -8,8 +8,8 @@
 from collections.abc import Mapping
 from typing import NamedTuple, TypeVar
 
-from macaron.slsa_analyzer.provenance.intoto import v01, v1
-from macaron.slsa_analyzer.provenance.intoto.errors import ValidateInTotoPayloadError
+from macaron.intoto import v01, v1
+from macaron.intoto.errors import ValidateInTotoPayloadError
 from macaron.util import JsonType
 
 # Type of an in-toto statement.

@@ -0,0 +1,67 @@
+# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""Functions to base64 encode/decode the in-toto attestation payload."""
+
+import base64
+import json
+
+from macaron.intoto.errors import DecodeIntotoAttestationError
+
+
+def encode_payload(payload: dict) -> str:
+    """Encode (base64 encoding) the payload of an in-toto attestation.
+
+    For more details about the payload field, see:
+        https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md#fields.
+
+    Parameters
+    ----------
+    payload : dict
+        The unencoded payload.
+
+    Returns
+    -------
+    str
+        The encoded payload.
+    """
+    return base64.b64encode(json.dumps(payload).encode()).decode("ascii")
+
+
+def decode_payload(encoded_payload: str) -> dict:
+    """Decode (base64 decoding) the payload of an in-toto attestation.
+
+    For more details about the payload field, see:
+        https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md#fields.
+
+    Parameters
+    ----------
+    encoded_payload : str
+        The encoded payload.
+
+    Returns
+    -------
+    dict
+        The decoded payload.
+
+    Raises
+    ------
+    DecodeIntotoAttestationError
+        If there is an error decoding the payload of an in-toto attestation.
+    """
+    try:
+        decoded_string = base64.b64decode(encoded_payload)
+    except UnicodeDecodeError as error:
+        raise DecodeIntotoAttestationError("Cannot base64-decode the attestation payload.") from error
+
+    try:
+        json_payload = json.loads(decoded_string)
+    except (json.JSONDecodeError, TypeError) as error:
+        raise DecodeIntotoAttestationError(
+            "Cannot deserialize the attestation payload as JSON.",
+        ) from error
+
+    if not isinstance(json_payload, dict):
+        raise DecodeIntotoAttestationError("The provenance payload is not a JSON object.")
+
+    return json_payload
@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """Error types related to in-toto attestations."""
@@ -15,8 +15,12 @@ class ValidateInTotoPayloadError(InTotoAttestationError):
 
 
 class UnsupportedInTotoVersionError(InTotoAttestationError):
-    """Happens when encountering a provenance under an unsupported in-toto version."""
+    """Happens when encountering an attestation under an unsupported in-toto version."""
+
+
+class DecodeIntotoAttestationError(InTotoAttestationError):
+    """Happens when there is an issue decoding the payload of an in-toto attestation."""
 
 
 class LoadIntotoAttestationError(InTotoAttestationError):
-    """Happens when there is an issue decoding and loading the payload of an in-toto provenance."""
+    """Happens when there is an issue loading the payload of an in-toto attestation."""
@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module handles in-toto version 0.1 attestations."""
@@ -7,7 +7,7 @@
 
 from typing import TypedDict, TypeGuard
 
-from macaron.slsa_analyzer.provenance.intoto.errors import ValidateInTotoPayloadError
+from macaron.intoto.errors import ValidateInTotoPayloadError
 from macaron.util import JsonType
 
 

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module handles in-toto version version 1 attestations."""

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the Analyze Context class.
@@ -12,13 +12,13 @@
 from typing import TypedDict
 
 from macaron.database.table_definitions import Component, SLSALevel
+from macaron.intoto.v01 import InTotoV01Statement
+from macaron.intoto.v1 import InTotoV1Statement
 from macaron.slsa_analyzer.checks.check_result import CheckResult, CheckResultType
 from macaron.slsa_analyzer.git_service import BaseGitService
 from macaron.slsa_analyzer.git_service.base_git_service import NoneGitService
 from macaron.slsa_analyzer.levels import SLSALevels
 from macaron.slsa_analyzer.provenance.expectations.expectation import Expectation
-from macaron.slsa_analyzer.provenance.intoto.v01 import InTotoV01Statement
-from macaron.slsa_analyzer.provenance.intoto.v1 import InTotoV1Statement
 from macaron.slsa_analyzer.slsa_req import ReqName, SLSAReqStatus, create_requirement_status_dict
 from macaron.slsa_analyzer.specs.build_spec import BuildSpec
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module handles the cloning and analyzing a Git repo."""
@@ -22,6 +22,7 @@
 from macaron.database.table_definitions import Analysis, Component, Repository
 from macaron.dependency_analyzer import DependencyAnalyzer, DependencyInfo
 from macaron.errors import CloneError, DuplicateError, InvalidPURLError, PURLNotFoundError, RepoCheckOutError
+from macaron.intoto import InTotoV01Payload
 from macaron.output_reporter.reporter import FileReporter
 from macaron.output_reporter.results import Record, Report, SCMStatus
 from macaron.repo_finder import repo_finder
@@ -39,7 +40,6 @@
 from macaron.slsa_analyzer.git_service.base_git_service import NoneGitService
 from macaron.slsa_analyzer.package_registry import PACKAGE_REGISTRIES
 from macaron.slsa_analyzer.provenance.expectations.expectation_registry import ExpectationRegistry
-from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo
 from macaron.slsa_analyzer.specs.inferred_provenance import Provenance

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the BuildAsCodeCheck class."""
@@ -12,6 +12,7 @@
 from sqlalchemy.sql.sqltypes import String
 
 from macaron.database.table_definitions import CheckFacts
+from macaron.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool
 from macaron.slsa_analyzer.checks.base_check import BaseCheck
@@ -22,7 +23,6 @@
 from macaron.slsa_analyzer.ci_service.gitlab_ci import GitLabCI
 from macaron.slsa_analyzer.ci_service.jenkins import Jenkins
 from macaron.slsa_analyzer.ci_service.travis import Travis
-from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.slsa_req import ReqName
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the BuildServiceCheck class."""
@@ -12,6 +12,7 @@
 from sqlalchemy.sql.sqltypes import String
 
 from macaron.database.table_definitions import CheckFacts
+from macaron.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool
 from macaron.slsa_analyzer.checks.base_check import BaseCheck
@@ -21,7 +22,6 @@
 from macaron.slsa_analyzer.ci_service.gitlab_ci import GitLabCI
 from macaron.slsa_analyzer.ci_service.jenkins import Jenkins
 from macaron.slsa_analyzer.ci_service.travis import Travis
-from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.slsa_req import ReqName
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo