macaron.repo_verifier package

This package contains classes for repository verification.

Submodules

macaron.repo_verifier.repo_verifier module

This module contains code to verify whether a reported repository can be linked back to the artifact.

macaron.repo_verifier.repo_verifier.verify_repo(namespace, name, version, reported_repo_url, reported_repo_fs, build_tool)

Verify whether the repository links back to the artifact.

Parameters:

  • namespace (str | None) – The namespace of the artifact.

  • name (str) – The name of the artifact.

  • version (str) – The version of the artifact.

  • reported_repo_url (str) – The reported repository URL.

  • reported_repo_fs (str) – The reported repository filesystem path.

  • build_tool (BaseBuildTool) – The build tool used to build the package.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult

macaron.repo_verifier.repo_verifier_base module

This module contains the base class and core data models for repository verification.

macaron.repo_verifier.repo_verifier_base.find_file_in_repo(root_dir, filename)

Find the highest level file with a given name in a local repository.

This function ignores certain paths that are not under the main source code directories.

Parameters:

  • root_dir (Path) – The root directory of the repository.

  • filename (str) – The name of the file to search for.

Returns:

The path to the file if it exists, otherwise

Return type:

Path | None

class macaron.repo_verifier.repo_verifier_base.RepositoryVerificationStatus(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: str, Enum

A class to store the status of the repo verification.

PASSED = 'passed'

We found evidence to prove that the repository can be linked back to the publisher of the artifact.

FAILED = 'failed'

We found evidence showing that the repository is not the publisher of the artifact.

UNKNOWN = 'unknown'

We could not find any evidence to prove or disprove that the repository can be linked back to the artifact.

class macaron.repo_verifier.repo_verifier_base.RepositoryVerificationResult(status, reason, build_tool)

Bases: object

A class to store the information about repository verification.

status: RepositoryVerificationStatus

The status of the repository verification.

reason: str

The reason for the verification result.

build_tool: BaseBuildTool

The build tool used to build the package.

__init__(status, reason, build_tool)
class macaron.repo_verifier.repo_verifier_base.RepoVerifierBase(namespace, name, version, reported_repo_url, reported_repo_fs)

Bases: ABC

The base class to verify whether a reported repository links back to the artifact.

abstract property build_tool: BaseBuildTool

Define the build tool used to build the package.

__init__(namespace, name, version, reported_repo_url, reported_repo_fs)

Instantiate the class.

Parameters:

  • namespace (str) – The namespace of the artifact.

  • name (str) – The name of the artifact.

  • version (str) – The version of the artifact.

  • reported_repo_url (str) – The URL of the repository reported by the publisher.

  • reported_repo_fs (str) – The file system path of the reported repository.

abstract verify_repo()

Verify whether the repository links back to the artifact.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult

macaron.repo_verifier.repo_verifier_gradle module

This module contains code to verify whether a repository with Gradle build system can be linked back to the artifact.

class macaron.repo_verifier.repo_verifier_gradle.RepoVerifierGradle(namespace, name, version, reported_repo_url, reported_repo_fs)

Bases: RepoVerifierBase

A class to verify whether a repository with Gradle build tool links back to the artifact.

build_tool = <macaron.slsa_analyzer.build_tool.gradle.Gradle object>
__init__(namespace, name, version, reported_repo_url, reported_repo_fs)

Initialize a RepoVerifierGradle instance.

Parameters:

  • namespace (str) – The namespace of the artifact.

  • name (str) – The name of the artifact.

  • version (str) – The version of the artifact.

  • reported_repo_url (str) – The URL of the repository reported by the publisher.

  • reported_repo_fs (str) – The file system path of the reported repository.

verify_repo()

Verify whether the reported repository links back to the artifact.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult

macaron.repo_verifier.repo_verifier_maven module

This module contains code to verify whether a reported repository with Maven build system can be linked back to the artifact.

class macaron.repo_verifier.repo_verifier_maven.RepoVerifierMaven(namespace, name, version, reported_repo_url, reported_repo_fs)

Bases: RepoVerifierBase

A class to verify whether a repository with Maven build tool links back to the artifact.

build_tool = <macaron.slsa_analyzer.build_tool.maven.Maven object>
verify_repo()

Verify whether the reported repository links back to the Maven artifact.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult

verify_domains_from_recognized_code_hosting_services()

Verify repository link by comparing the maven domain name and the account on code hosting services.

This verification relies on the fact that Sonatype recognizes certain code hosting platforms for namespace verification on maven central.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult