Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: refactor provenance available check #791

Merged
merged 19 commits into from
Aug 14, 2024
Merged

chore: refactor provenance available check #791

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
7cd1d9b
chore: refactor provenance related checks
benmss Jul 16, 2024
0542d02
chore: add moved functions to analyzer call flow
benmss Jul 16, 2024
9f497d8
chore: minor fix in build tool function
benmss Jul 16, 2024
9a8b54e
chore: keep git service check in loop
benmss Jul 16, 2024
8861efb
chore: allow provenance finding when there is an input repo path
benmss Jul 16, 2024
cb3cb9f
chore: fix integration test related issues
benmss Jul 16, 2024
2e7411c
chore: remove check of discovered commit against provenance commit; f…
benmss Jul 17, 2024
927d8c3
chore: minor fixes after rebase
benmss Jul 31, 2024
cbc7376
chore: require proper verification to report level 3 in verification …
benmss Jul 31, 2024
3615217
chore: update integration test policy
benmss Jul 31, 2024
348ebc7
chore: improve simplification of if statement
benmss Aug 1, 2024
df6872c
chore: update test cases so provenance can be found; add new test tha…
benmss Aug 5, 2024
c738327
chore: fix test cases
benmss Aug 5, 2024
44d2e2c
chore: eliminate disparate comma situation
benmss Aug 6, 2024
785f43e
chore: perform load provenance inside temp dir with
benmss Aug 6, 2024
4bd6d7b
chore: restore previous check; update integration test case
benmss Aug 12, 2024
113472a
chore: add tests for provenance finder
benmss Aug 13, 2024
346f058
chore: add new provenance file
benmss Aug 13, 2024
e12b21e
chore: restore and simplify provenance available check test
benmss Aug 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 1 addition & 17 deletions src/macaron/repo_finder/provenance_extractor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,24 +243,18 @@ def _clean_spdx(uri: str) -> str:
return url


def check_if_input_repo_commit_provenance_conflict(
def check_if_input_repo_provenance_conflict(
repo_path_input: str | None,
digest_input: str | None,
provenance_repo_url: str | None,
provenance_commit_digest: str | None,
) -> bool:
"""Test if the input repo and commit match the contents of the provenance.

Parameters
----------
repo_path_input: str | None
The repo URL from input.
digest_input: str | None
The digest from input.
provenance_repo_url: str | None
The repo URL from provenance.
provenance_commit_digest: str | None
The commit digest from provenance.

Returns
-------
Expand All @@ -277,16 +271,6 @@ def check_if_input_repo_commit_provenance_conflict(
)
return True

# Check the provenance commit against the input commit.
if digest_input and provenance_commit_digest and digest_input != provenance_commit_digest:
logger.debug(
"The commit digest from input does not match what exists in the provenance. "
"Input Commit: %s, Provenance Commit: %s.",
digest_input,
provenance_commit_digest,
)
return True

tromai marked this conversation as resolved.
Show resolved Hide resolved
return False


Expand Down
14 changes: 6 additions & 8 deletions src/macaron/slsa_analyzer/analyzer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
from macaron.repo_finder.commit_finder import find_commit
from macaron.repo_finder.provenance_extractor import (
check_if_input_purl_provenance_conflict,
check_if_input_repo_commit_provenance_conflict,
check_if_input_repo_provenance_conflict,
extract_repo_and_commit_from_provenance,
)
from macaron.repo_finder.provenance_finder import ProvenanceFinder, find_provenance_from_ci
Expand Down Expand Up @@ -343,10 +343,8 @@ def run_single(
except ProvenanceError as error:
logger.debug("Failed to extract repo or commit from provenance: %s", error)

# Try to validate the input repo and/or commit against provenance contents.
if (provenance_repo_url or provenance_commit_digest) and check_if_input_repo_commit_provenance_conflict(
repo_path_input, digest_input, provenance_repo_url, provenance_commit_digest
):
# Try to validate the input repo against provenance contents.
if provenance_repo_url and check_if_input_repo_provenance_conflict(repo_path_input, provenance_repo_url):
return Record(
record_id=repo_id,
description="Input mismatch between repo and provenance.",
Expand Down Expand Up @@ -456,9 +454,9 @@ def run_single(
except ProvenanceError as error:
logger.debug("Failed to extract repo or commit from provenance: %s", error)

# Try to validate the input repo and/or commit against provenance contents.
if (provenance_repo_url or provenance_commit_digest) and check_if_input_repo_commit_provenance_conflict(
repo_path_input, digest_input, provenance_repo_url, provenance_commit_digest
# Try to validate the input repo against provenance contents.
if provenance_repo_url and check_if_input_repo_provenance_conflict(
repo_path_input, provenance_repo_url
):
return Record(
record_id=repo_id,
Expand Down
6 changes: 3 additions & 3 deletions tests/integration/cases/micronaut-projects_micronaut-test/micronaut-test.dl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ Policy("test_policy", component_id, "") :-
check_passed(component_id, "mcn_build_service_1"),
check_passed(component_id, "mcn_version_control_system_1"),
check_passed(component_id, "mcn_provenance_available_1"),
check_failed(component_id, "mcn_provenance_level_three_1"),
check_passed(component_id, "mcn_provenance_derived_repo_1"),
check_passed(component_id, "mcn_provenance_level_three_1"),
check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
check_failed(component_id, "mcn_provenance_derived_commit_1"),
check_failed(component_id, "mcn_provenance_derived_repo_1"),
check_failed(component_id, "mcn_provenance_witness_level_one_1"),
check_failed(component_id, "mcn_trusted_builder_level_three_1"),
is_repo_url(component_id, "https://github.com/micronaut-projects/micronaut-test").

apply_policy_to("test_policy", component_id) :-
is_component(component_id, "pkg:github.com/micronaut-projects/micronaut-test@7679d10b4073a3b842b6c56877c35fa8cd10acff").
is_component(component_id, "pkg:github.com/micronaut-projects/micronaut-test@5b81340f319a2287cb2e81ddec0154c0ea2510cf").
8 changes: 4 additions & 4 deletions tests/integration/cases/slsa-framework_slsa-verifier/policy.dl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@ Policy("test_policy", component_id, "") :-
check_passed(component_id, "mcn_trusted_builder_level_three_1"),
check_passed(component_id, "mcn_version_control_system_1"),
check_passed(component_id, "mcn_provenance_available_1"),
check_failed(component_id, "mcn_provenance_expectation_1"),
check_passed(component_id, "mcn_provenance_derived_commit_1"),
check_passed(component_id, "mcn_provenance_derived_repo_1"),
check_passed(component_id, "mcn_provenance_expectation_1"),
check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
check_failed(component_id, "mcn_provenance_derived_commit_1"),
check_failed(component_id, "mcn_provenance_derived_repo_1"),
check_failed(component_id, "mcn_provenance_witness_level_one_1"),
is_repo_url(component_id, "https://github.com/slsa-framework/slsa-verifier").

apply_policy_to("test_policy", component_id) :-
is_component(component_id, "pkg:github.com/slsa-framework/slsa-verifier@fc50b662fcfeeeb0e97243554b47d9b20b14efac").
is_component(component_id, "pkg:github.com/slsa-framework/slsa-verifier@e6428d7da594455a4c2b7f24907fec421a5e0e95").
8 changes: 6 additions & 2 deletions tests/integration/cases/slsa-framework_slsa-verifier/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,12 @@ steps:
ini: config.ini
expectation: expectation.cue
command_args:
- -purl
- pkg:golang/slsa-framework/[email protected]
- -rp
- https://github.com/slsa-framework/slsa-verifier
- -b
- main
- -d
- e6428d7da594455a4c2b7f24907fec421a5e0e95
- --skip-deps
- name: Run macaron verify-policy to verify passed/failed checks
kind: verify
Expand Down
2 changes: 1 addition & 1 deletion tests/integration/cases/urllib3_expectation_dir/expectation/expectation.cue
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
target: "pkg:github.com/urllib3/urllib3",
target: "pkg:pypi/urllib3",
predicate: {
invocation: {
configSource: {
Expand Down
10 changes: 5 additions & 5 deletions tests/integration/cases/urllib3_expectation_dir/policy.dl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ Policy("test_policy", component_id, "") :-
check_passed(component_id, "mcn_build_service_1"),
check_passed(component_id, "mcn_version_control_system_1"),
check_passed(component_id, "mcn_provenance_available_1"),
check_failed(component_id, "mcn_provenance_expectation_1"),
check_failed(component_id, "mcn_provenance_level_three_1"),
check_passed(component_id, "mcn_provenance_level_three_1"),
check_passed(component_id, "mcn_provenance_derived_commit_1"),
check_passed(component_id, "mcn_provenance_derived_repo_1"),
check_passed(component_id, "mcn_provenance_expectation_1"),
check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
check_failed(component_id, "mcn_provenance_derived_commit_1"),
check_failed(component_id, "mcn_provenance_derived_repo_1"),
check_failed(component_id, "mcn_provenance_witness_level_one_1"),
check_failed(component_id, "mcn_trusted_builder_level_three_1"),
is_repo_url(component_id, "https://github.com/urllib3/urllib3").

apply_policy_to("test_policy", component_id) :-
is_component(component_id, "pkg:github.com/urllib3/urllib3@87a0ecee6e691fe5ff93cd000c0158deebef763b").
is_component(component_id, "pkg:pypi/urllib3@2.0.0a1").
2 changes: 1 addition & 1 deletion tests/integration/cases/urllib3_expectation_file/expectation.cue
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
target: "pkg:github.com/urllib3/urllib3",
target: "pkg:pypi/urllib3",
predicate: {
invocation: {
configSource: {
Expand Down
10 changes: 5 additions & 5 deletions tests/integration/cases/urllib3_expectation_file/policy.dl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ Policy("test_policy", component_id, "") :-
check_passed(component_id, "mcn_build_service_1"),
check_passed(component_id, "mcn_version_control_system_1"),
check_passed(component_id, "mcn_provenance_available_1"),
check_failed(component_id, "mcn_provenance_expectation_1"),
check_failed(component_id, "mcn_provenance_level_three_1"),
check_passed(component_id, "mcn_provenance_derived_commit_1"),
check_passed(component_id, "mcn_provenance_derived_repo_1"),
check_passed(component_id, "mcn_provenance_expectation_1"),
check_passed(component_id, "mcn_provenance_level_three_1"),
check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
check_failed(component_id, "mcn_provenance_derived_commit_1"),
check_failed(component_id, "mcn_provenance_derived_repo_1"),
check_failed(component_id, "mcn_provenance_witness_level_one_1"),
check_failed(component_id, "mcn_trusted_builder_level_three_1"),
is_repo_url(component_id, "https://github.com/urllib3/urllib3").

apply_policy_to("test_policy", component_id) :-
is_component(component_id, "pkg:github.com/urllib3/urllib3@87a0ecee6e691fe5ff93cd000c0158deebef763b").
is_component(component_id, "pkg:pypi/urllib3@2.0.0a1").
8 changes: 4 additions & 4 deletions tests/integration/cases/urllib3_invalid_expectation/policy.dl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ Policy("test_policy", component_id, "") :-
check_passed(component_id, "mcn_build_service_1"),
check_passed(component_id, "mcn_version_control_system_1"),
check_passed(component_id, "mcn_provenance_available_1"),
check_failed(component_id, "mcn_provenance_level_three_1"),
check_passed(component_id, "mcn_provenance_derived_commit_1"),
check_passed(component_id, "mcn_provenance_derived_repo_1"),
check_passed(component_id, "mcn_provenance_level_three_1"),
check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
check_failed(component_id, "mcn_provenance_derived_commit_1"),
check_failed(component_id, "mcn_provenance_derived_repo_1"),
check_failed(component_id, "mcn_provenance_witness_level_one_1"),
behnazh-w marked this conversation as resolved.
Show resolved Hide resolved
check_failed(component_id, "mcn_trusted_builder_level_three_1"),
is_repo_url(component_id, "https://github.com/urllib3/urllib3").

apply_policy_to("test_policy", component_id) :-
is_component(component_id, "pkg:github.com/urllib3/urllib3@87a0ecee6e691fe5ff93cd000c0158deebef763b").
is_component(component_id, "pkg:pypi/urllib3@2.0.0a1").
0 ...tegration/cases/urlllib3_no_tag/policy.dl → ...ntegration/cases/urllib3_no_tag/policy.dl
View file
Open in desktop
File renamed without changes.
0 ...tegration/cases/urlllib3_no_tag/test.yaml → ...ntegration/cases/urllib3_no_tag/test.yaml
View file
Open in desktop
File renamed without changes.
Loading