macaron.repo_verifier package

This package contains classes for repository verification.

Submodules

macaron.repo_verifier.repo_verifier module

This module contains code to verify whether a reported repository can be linked back to the artifact.

macaron.repo_verifier.repo_verifier.verify_repo(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url, build_tool)

Verify whether the repository links back to the artifact.

Parameters:

  • namespace (str | None) – The namespace of the artifact.

  • name (str) – The name of the artifact.

  • version (str) – The version of the artifact.

  • reported_repo_url (str) – The reported repository URL.

  • reported_repo_fs (str) – The reported repository filesystem path.

  • provenance_repo_url (str | None) – The URL of the repository from a provenance file, or None if it, or the provenance, is not present.

  • build_tool (BaseBuildTool) – The build tool used to build the package.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult

macaron.repo_verifier.repo_verifier_base module

This module contains the base class and core data models for repository verification.

macaron.repo_verifier.repo_verifier_base.find_file_in_repo(root_dir, filename)

Find the highest level file with a given name in a local repository.

This function ignores certain paths that are not under the main source code directories.

Parameters:

  • root_dir (Path) – The root directory of the repository.

  • filename (str) – The name of the file to search for.

Returns:

The path to the file if it exists, otherwise

Return type:

Path | None

class macaron.repo_verifier.repo_verifier_base.RepositoryVerificationStatus(value)

Bases: str, Enum

A class to store the status of the repo verification.

PASSED = 'passed'

We found evidence to prove that the repository can be linked back to the publisher of the artifact.

FAILED = 'failed'

We found evidence showing that the repository is not the publisher of the artifact.

UNKNOWN = 'unknown'

We could not find any evidence to prove or disprove that the repository can be linked back to the artifact.

class macaron.repo_verifier.repo_verifier_base.RepositoryVerificationResult(status, reason, build_tool)

Bases: object

A class to store the information about repository verification.

status: RepositoryVerificationStatus

The status of the repository verification.

reason: str

The reason for the verification result.

build_tool: BaseBuildTool

The build tool used to build the package.

__init__(status, reason, build_tool)
class macaron.repo_verifier.repo_verifier_base.RepoVerifierBase

Bases: ABC

The base class to verify whether a reported repository links back to the artifact.

abstractmethod verify_repo()

Verify whether the repository links back to the artifact.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult

class macaron.repo_verifier.repo_verifier_base.RepoVerifierFromProvenance(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url, build_tool)

Bases: RepoVerifierBase

An implementation of the base verifier that verifies a repository if the URL comes from provenance.

DEFAULT_REASON = 'from_provenance'
__init__(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url, build_tool)

Instantiate the class.

Parameters:

  • namespace (str) – The namespace of the artifact.

  • name (str) – The name of the artifact.

  • version (str) – The version of the artifact.

  • reported_repo_url (str) – The URL of the repository reported by the publisher.

  • reported_repo_fs (str) – The file system path of the reported repository.

  • provenance_repo_url (str | None) – The URL of the repository from a provenance file, or None if it, or the provenance, is not present.

  • build_tool (BaseBuildTool) – The build tool used to build the package.

verify_repo()

Verify whether the repository links back to the artifact from the provenance URL.

Return type:

RepositoryVerificationResult

class macaron.repo_verifier.repo_verifier_base.RepoVerifierToolSpecific(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)

Bases: RepoVerifierFromProvenance, ABC

An abstract subclass of the repo verifier that provides and calls a per-tool verification function.

From-provenance verification is inherited from the parent class.

abstract property specific_tool: BaseBuildTool

Define the build tool used to build the package.

__init__(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)

Instantiate the class.

Parameters:

  • namespace (str) – The namespace of the artifact.

  • name (str) – The name of the artifact.

  • version (str) – The version of the artifact.

  • reported_repo_url (str) – The URL of the repository reported by the publisher.

  • reported_repo_fs (str) – The file system path of the reported repository.

  • provenance_repo_url (str | None) – The URL of the repository from a provenance file, or None if it, or the provenance, is not present.

verify_repo()

Verify the repository as per the base class method.

Return type:

RepositoryVerificationResult

abstractmethod verify_by_tool()

Verify the repository using build tool specific methods.

Return type:

RepositoryVerificationResult

macaron.repo_verifier.repo_verifier_gradle module

This module contains code to verify whether a Gradle-based repository can be linked back to the artifact.

class macaron.repo_verifier.repo_verifier_gradle.RepoVerifierGradle(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)

Bases: RepoVerifierToolSpecific

A class to verify whether a repository with Gradle build tool links back to the artifact.

specific_tool = <macaron.slsa_analyzer.build_tool.gradle.Gradle object>
__init__(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)

Initialize a RepoVerifierGradle instance.

Parameters:

  • namespace (str) – The namespace of the artifact.

  • name (str) – The name of the artifact.

  • version (str) – The version of the artifact.

  • reported_repo_url (str) – The URL of the repository reported by the publisher.

  • reported_repo_fs (str) – The file system path of the reported repository.

  • provenance_repo_url (str | None) – The URL of the repository from a provenance file, or None if it, or the provenance, is not present.

verify_by_tool()

Verify whether the reported repository links back to the artifact.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult

macaron.repo_verifier.repo_verifier_maven module

This module contains code to verify whether a reported Maven-based repository can be linked back to the artifact.

class macaron.repo_verifier.repo_verifier_maven.RepoVerifierMaven(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)

Bases: RepoVerifierToolSpecific

A class to verify whether a repository with Maven build tool links back to the artifact.

specific_tool = <macaron.slsa_analyzer.build_tool.maven.Maven object>
verify_by_tool()

Verify whether the reported repository links back to the Maven artifact.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult

verify_domains_from_recognized_code_hosting_services()

Verify repository link by comparing the maven domain name and the account on code hosting services.

This verification relies on the fact that Sonatype recognizes certain code hosting platforms for namespace verification on maven central.

Returns:

The result of the repository verification

Return type:

RepositoryVerificationResult