macaron.repo_verifier package
This package contains classes for repository verification.
Submodules
macaron.repo_verifier.repo_verifier module
This module contains code to verify whether a reported repository can be linked back to the artifact.
- macaron.repo_verifier.repo_verifier.verify_repo(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url, build_tool)
Verify whether the repository links back to the artifact.
- Parameters:
namespace (str | None) – The namespace of the artifact.
name (str) – The name of the artifact.
version (str) – The version of the artifact.
reported_repo_url (str) – The reported repository URL.
reported_repo_fs (str) – The reported repository filesystem path.
provenance_repo_url (str | None) – The URL of the repository from a provenance file, or None if it, or the provenance, is not present.
build_tool (BaseBuildTool) – The build tool used to build the package.
- Returns:
The result of the repository verification
- Return type:
macaron.repo_verifier.repo_verifier_base module
This module contains the base class and core data models for repository verification.
- macaron.repo_verifier.repo_verifier_base.find_file_in_repo(root_dir, filename)
Find the highest level file with a given name in a local repository.
This function ignores certain paths that are not under the main source code directories.
- Parameters:
root_dir (Path) – The root directory of the repository.
filename (str) – The name of the file to search for.
- Returns:
The path to the file if it exists, otherwise
- Return type:
Path | None
- class macaron.repo_verifier.repo_verifier_base.RepositoryVerificationStatus(value)
-
A class to store the status of the repo verification.
- PASSED = 'passed'
We found evidence to prove that the repository can be linked back to the publisher of the artifact.
- FAILED = 'failed'
We found evidence showing that the repository is not the publisher of the artifact.
- UNKNOWN = 'unknown'
We could not find any evidence to prove or disprove that the repository can be linked back to the artifact.
- class macaron.repo_verifier.repo_verifier_base.RepositoryVerificationResult(status, reason, build_tool)
Bases:
object
A class to store the information about repository verification.
-
status:
RepositoryVerificationStatus
The status of the repository verification.
-
build_tool:
BaseBuildTool
The build tool used to build the package.
- __init__(status, reason, build_tool)
-
status:
- class macaron.repo_verifier.repo_verifier_base.RepoVerifierBase
Bases:
ABC
The base class to verify whether a reported repository links back to the artifact.
- abstractmethod verify_repo()
Verify whether the repository links back to the artifact.
- Returns:
The result of the repository verification
- Return type:
- class macaron.repo_verifier.repo_verifier_base.RepoVerifierFromProvenance(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url, build_tool)
Bases:
RepoVerifierBase
An implementation of the base verifier that verifies a repository if the URL comes from provenance.
- DEFAULT_REASON = 'from_provenance'
- __init__(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url, build_tool)
Instantiate the class.
- Parameters:
namespace (str) – The namespace of the artifact.
name (str) – The name of the artifact.
version (str) – The version of the artifact.
reported_repo_url (str) – The URL of the repository reported by the publisher.
reported_repo_fs (str) – The file system path of the reported repository.
provenance_repo_url (str | None) – The URL of the repository from a provenance file, or None if it, or the provenance, is not present.
build_tool (BaseBuildTool) – The build tool used to build the package.
- verify_repo()
Verify whether the repository links back to the artifact from the provenance URL.
- Return type:
- class macaron.repo_verifier.repo_verifier_base.RepoVerifierToolSpecific(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)
Bases:
RepoVerifierFromProvenance
,ABC
An abstract subclass of the repo verifier that provides and calls a per-tool verification function.
From-provenance verification is inherited from the parent class.
- abstract property specific_tool: BaseBuildTool
Define the build tool used to build the package.
- __init__(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)
Instantiate the class.
- Parameters:
namespace (str) – The namespace of the artifact.
name (str) – The name of the artifact.
version (str) – The version of the artifact.
reported_repo_url (str) – The URL of the repository reported by the publisher.
reported_repo_fs (str) – The file system path of the reported repository.
provenance_repo_url (str | None) – The URL of the repository from a provenance file, or None if it, or the provenance, is not present.
- verify_repo()
Verify the repository as per the base class method.
- Return type:
- abstractmethod verify_by_tool()
Verify the repository using build tool specific methods.
- Return type:
macaron.repo_verifier.repo_verifier_gradle module
This module contains code to verify whether a Gradle-based repository can be linked back to the artifact.
- class macaron.repo_verifier.repo_verifier_gradle.RepoVerifierGradle(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)
Bases:
RepoVerifierToolSpecific
A class to verify whether a repository with Gradle build tool links back to the artifact.
- specific_tool = <macaron.slsa_analyzer.build_tool.gradle.Gradle object>
- __init__(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)
Initialize a RepoVerifierGradle instance.
- Parameters:
namespace (str) – The namespace of the artifact.
name (str) – The name of the artifact.
version (str) – The version of the artifact.
reported_repo_url (str) – The URL of the repository reported by the publisher.
reported_repo_fs (str) – The file system path of the reported repository.
provenance_repo_url (str | None) – The URL of the repository from a provenance file, or None if it, or the provenance, is not present.
- verify_by_tool()
Verify whether the reported repository links back to the artifact.
- Returns:
The result of the repository verification
- Return type:
macaron.repo_verifier.repo_verifier_maven module
This module contains code to verify whether a reported Maven-based repository can be linked back to the artifact.
- class macaron.repo_verifier.repo_verifier_maven.RepoVerifierMaven(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)
Bases:
RepoVerifierToolSpecific
A class to verify whether a repository with Maven build tool links back to the artifact.
- specific_tool = <macaron.slsa_analyzer.build_tool.maven.Maven object>
- verify_by_tool()
Verify whether the reported repository links back to the Maven artifact.
- Returns:
The result of the repository verification
- Return type:
- verify_domains_from_recognized_code_hosting_services()
Verify repository link by comparing the maven domain name and the account on code hosting services.
This verification relies on the fact that Sonatype recognizes certain code hosting platforms for namespace verification on maven central.
- Returns:
The result of the repository verification
- Return type: