macaron.slsa_analyzer.build_tool package

The build_tool package contains the supported build tools for Macaron.

Submodules

macaron.slsa_analyzer.build_tool.base_build_tool module

This module contains the BaseBuildTool class to be inherited by other specific Build Tools.

class macaron.slsa_analyzer.build_tool.base_build_tool.BuildEcosystem(value)

Bases: str, Enum

The supported build ecosystems.

MAVEN = 'maven'
PYPI = 'pypi'
GOLONAG = 'golang'
NPM = 'npm'
DOCKER = 'docker'
class macaron.slsa_analyzer.build_tool.base_build_tool.BuildToolCommand

Bases: TypedDict

This class is an abstraction for build tool commands storing useful contextual data for analysis.

command: list[str]

The parsed build tool command. This command can be any bash command whose program name is the build tool.

language: str

The name of the language to build the artifact.

language_versions: list[str] | None

The list of possible language version numbers.

language_distributions: list[str] | None

The list of possible language distributions.

language_url: str | None

The URL providing information about the language distributions and versions.

ci_path: str

The relative path to the root CI file that ultimately triggers the command.

step_node: Node | None

The CI step object that calls the command.

reachable_secrets: list[str]

The list of name of reachable variables that contain secrets.”””

events: list[str] | None

The name of CI events that trigger the workflow running the build command.

macaron.slsa_analyzer.build_tool.base_build_tool.find_first_matching_file(directory, pattern)

Return the first file that matches the given glob pattern in the specified directory.

Parameters:

  • directory (Path) – Directory to search in.

  • pattern (str) – Glob pattern to match.

Returns:

The first matching file’s path, or None if no match is found.

Return type:

Path | None

macaron.slsa_analyzer.build_tool.base_build_tool.file_exists(path, file_name, filters=None, predicate=None, **predicate_kwargs)

Search recursively for the first matching file, optionally validating it with a predicate.

The search performs a breadth-first traversal (closest directories first) and skips directories whose names contain any of the provided filter keywords.

To disable filtering, pass an empty list or None to filters.

Parameters:

  • path (str) – Root directory to search.

  • file_name (str) – File name to search for, or a glob pattern (e.g., "Dockerfile.*").

  • filters (list[str] or None, optional) – Directory-name keywords to skip (case-insensitive). If None or empty, no directories are skipped.

  • predicate (callable or None, optional) – Optional callable used to validate a matched file. If provided, a file is accepted only if predicate(candidate_path, **predicate_kwargs) returns True.

  • predicate_kwargs (Any) – Keyword arguments forwarded to predicate.

Returns:

The path to the first matching (and predicate-accepted) file, or None if no match is found.

Return type:

Path | None

class macaron.slsa_analyzer.build_tool.base_build_tool.RuntimeOptions(build_timeout=600)

Bases: object

The class for build tool runtime configurations read from defaults.ini.

Note that Macaron uses the options in this class to “run” a build tool.

build_timeout: float = 600

The timeout used for running the build tool commands.

__init__(build_timeout=600)
class macaron.slsa_analyzer.build_tool.base_build_tool.BaseBuildTool(name, language, purl_type)

Bases: ABC

This abstract class is used to implement Build Tools.

__init__(name, language, purl_type)

Initialize instance.

Parameters:

  • name (str) – The name of this build tool.

  • language (BuildLanguage) – The name of the language used by the programs built by the build tool.

  • purl_type (str) – The type field of a PackageURL.

abstractmethod is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

Detected build tool configurations.

Return type:

list[BuildToolConfig]

resolve_component_detection_target(target)

Resolve repo path and optional coordinates from a detection target.

Parameters:

target (Component) – Target component.

Returns:

(repo_path, group_id, artifact_id) where group/artifact are resolved when the component PURL type matches this build tool.

Return type:

tuple[str | None, str | None, str | None]

abstractmethod load_defaults()

Load the default values from defaults.ini.

Return type:

None

match_purl_type(component_purl_type)

Determine if the given component PURL type matches this build tool’s PURL type.

Returns False if the component PURL type matches a supported build ecosystem but does not match the build tool’s purl_type. Otherwise, returns True to allow for repositories or other non-standard types.

Parameters:

component_purl_type (str) – The PURL type of the component to check.

Returns:

True if the type matches or is not restricted; False otherwise.

Return type:

bool

get_dep_analyzer()

Create a DependencyAnalyzer for the build tool.

Returns:

The DependencyAnalyzer object.

Return type:

DependencyAnalyzer

set_build_tool_configurations(build_tool_configs)

Set the build tool configurations for the instance.

Parameters:

build_tool_configs (list[BuildToolConfig]) – A list containing configuration tuples for each build tool.

Return type:

None

get_build_dirs(target)

Find directories in the repository that have their own build scripts.

This is especially important for applications that consist of multiple services.

Parameters:

target (Component) – The target software component.

Yields:

Path – The relative paths from the repo path that contain build scripts.

Return type:

Iterable[Path]

serialize_to_json(cmd)

Convert a list of values to a json-encoded string so that it is easily parsable by later consumers.

Parameters:

cmd (list[str]) – List of command-line arguments.

Returns:

The list of command-line arguments as a json-encoded string.

Return type:

str

is_build_command(cmd)

Determine if the command is a build tool command.

Parameters:

cmd (list[str]) – List of command-line arguments.

Returns:

True if the command is a build tool command.

Return type:

bool

match_cmd_args(cmd, tools, args)

Check if the build command matches any of the tools and the command-line arguments.

If build command’s first element, which is the program name matches any of the tools names and any of its arguments match any of the arguments in args, this function returns True.

Parameters:

  • cmd (list[str]) – The command-line arguments.

  • tools (list[str]) – The name of tools that will be matched with the program name in the bash command.

  • args (list[str]) – The lit of arguments that should match with the bash command.

Returns:

True if the provided command matches the tool and arguments.

Return type:

bool

infer_confidence_deploy_workflow(ci_path, provenance_workflow=None)

Infer the confidence level for the deploy CI workflow.

Parameters:

  • ci_path (str) – The path to the CI workflow.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

The confidence level for the deploy command.

Return type:

Confidence

infer_confidence_deploy_command(cmd, provenance_workflow=None)

Infer the confidence level for the deploy command.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

The confidence level for the deploy command.

Return type:

Confidence

is_deploy_command(cmd, excluded_configs=None, provenance_workflow=None)

Determine if the command is a deploy command.

A deploy command usually performs multiple tasks, such as compilation, packaging, and publishing the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

Return True along with the inferred confidence level if the command is a deploy tool command.

Return type:

tuple[bool, Confidence]

is_package_command(cmd, excluded_configs=None)

Determine if the command is a packaging command.

A packaging command usually performs multiple tasks, such as compilation and creating the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

Returns:

Return True along with the inferred confidence level if the command is a build tool command.

Return type:

tuple[bool, Confidence]

macaron.slsa_analyzer.build_tool.conda module

This module contains the Conda class which inherits BaseBuildTool.

This module is used to work with repositories that use Conda for dependency management.

class macaron.slsa_analyzer.build_tool.conda.Conda

Bases: BaseBuildTool

This class contains the information of the conda build tool.

__init__()

Initialize instance.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

get_dep_analyzer()

Create a DependencyAnalyzer for the build tool.

Returns:

The DependencyAnalyzer object.

Return type:

DependencyAnalyzer

is_deploy_command(cmd, excluded_configs=None, provenance_workflow=None)

Determine if the command is a deploy command.

A deploy command usually performs multiple tasks, such as compilation, packaging, and publishing the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

Return True along with the inferred confidence level if the command is a deploy tool command.

Return type:

tuple[bool, Confidence]

is_package_command(cmd, excluded_configs=None)

Determine if the command is a packaging command.

A packaging command usually performs multiple tasks, such as compilation and creating the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

Returns:

Return True along with the inferred confidence level if the command is a build tool command.

Return type:

tuple[bool, Confidence]

macaron.slsa_analyzer.build_tool.docker module

This module contains the Docker class which inherits BaseBuildTool.

This module is used to work with repositories that use Docker as a build tool.

class macaron.slsa_analyzer.build_tool.docker.Docker

Bases: BaseBuildTool

This class contains the information of Docker when used as a build tool.

__init__()

Initialize instance.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

macaron.slsa_analyzer.build_tool.flit module

This module contains the Flit class which inherits BaseBuildTool.

This module is used to work with repositories that use Flit for dependency management.

class macaron.slsa_analyzer.build_tool.flit.Flit

Bases: BaseBuildTool

This class contains the information of the flit build tool.

__init__()

Initialize instance.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

get_dep_analyzer()

Create a DependencyAnalyzer for the build tool.

Returns:

The DependencyAnalyzer object.

Return type:

DependencyAnalyzer

is_deploy_command(cmd, excluded_configs=None, provenance_workflow=None)

Determine if the command is a deploy command.

A deploy command usually performs multiple tasks, such as compilation, packaging, and publishing the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

Return True along with the inferred confidence level if the command is a deploy tool command.

Return type:

tuple[bool, Confidence]

is_package_command(cmd, excluded_configs=None)

Determine if the command is a packaging command.

A packaging command usually performs multiple tasks, such as compilation and creating the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

Returns:

Return True along with the inferred confidence level if the command is a build tool command.

Return type:

tuple[bool, Confidence]

macaron.slsa_analyzer.build_tool.go module

This module contains the Go class which inherits BaseBuildTool.

This module is used to work with repositories that have Go.

class macaron.slsa_analyzer.build_tool.go.Go

Bases: BaseBuildTool

This class contains the information of the Go build tool.

__init__()

Initialize instance.

Parameters:

  • name (str) – The name of this build tool.

  • language (BuildLanguage) – The name of the language used by the programs built by the build tool.

  • purl_type (str) – The type field of a PackageURL.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

macaron.slsa_analyzer.build_tool.gradle module

This module contains the Gradle class which inherits BaseBuildTool.

This module is used to work with repositories that use Gradle build tool.

class macaron.slsa_analyzer.build_tool.gradle.Gradle

Bases: BaseBuildTool

This class contains the information of the Gradle build tool.

__init__()

Initialize instance.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

validate_gradle_file(config_path, group_id=None, artifact_id=None, **kwargs)

Validate a Gradle configuration path against expected G/A coordinates.

Parameters:

  • config_path (Path) – Path to a candidate Gradle configuration file.

  • group_id (str | None, optional) – Expected group id. If None, a fallback lookup is attempted from kwargs["group_id"].

  • artifact_id (str | None, optional) – Expected artifact id. If None, a fallback lookup is attempted from kwargs["artifact_id"].

  • kwargs (dict[str, str | None]) – Additional keyword arguments propagated by the caller.

Returns:

True when either validation inputs are missing (no-op validation) or when both expected values are present and match the extracted Gradle group/artifact from the project; otherwise False.

Return type:

bool

get_group_id(gradle_exec, project_path)

Get the group id of a Gradle project.

A Gradle project is a directory containing a build.gradle file. According to the Gradle’s documentation, there is a one-to-one mapping between a “project” and a build.gradle file. See: https://docs.gradle.org/current/javadoc/org/gradle/api/Project.html.

Parameters:

  • gradle_exec (str) – The absolute path to the Gradle executable.

  • project_path (str) – The absolute path to the Gradle project.

Returns:

The group id of the project, if exists.

Return type:

str | None

macaron.slsa_analyzer.build_tool.hatch module

This module contains the Hatch class which inherits BaseBuildTool.

This module is used to work with repositories that use Hatch for dependency management.

class macaron.slsa_analyzer.build_tool.hatch.Hatch

Bases: BaseBuildTool

This class contains the information of the hatch build tool.

__init__()

Initialize instance.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

get_dep_analyzer()

Create a DependencyAnalyzer for the build tool.

Returns:

The DependencyAnalyzer object.

Return type:

DependencyAnalyzer

is_deploy_command(cmd, excluded_configs=None, provenance_workflow=None)

Determine if the command is a deploy command.

A deploy command usually performs multiple tasks, such as compilation, packaging, and publishing the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

Return True along with the inferred confidence level if the command is a deploy tool command.

Return type:

tuple[bool, Confidence]

is_package_command(cmd, excluded_configs=None)

Determine if the command is a packaging command.

A packaging command usually performs multiple tasks, such as compilation and creating the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

Returns:

Return True along with the inferred confidence level if the command is a build tool command.

Return type:

tuple[bool, Confidence]

macaron.slsa_analyzer.build_tool.language module

This module contains abstractions for build languages.

class macaron.slsa_analyzer.build_tool.language.BuildLanguage(value)

Bases: str, Enum

The supported build languages.

JAVA = 'java'
PYTHON = 'python'
GO = 'go'
JAVASCRIPT = 'javascript'
DOCKER = 'docker'
class macaron.slsa_analyzer.build_tool.language.Language(*args, **kwargs)

Bases: Protocol

Interface of a language.

property lang_name: str

Get the name of the language.

property lang_versions: list[str] | None

Get the possible versions of the language.

property lang_distributions: list[str] | None

Get the possible distributions of the language.

property lang_url: str | None

Get the URL that provides information about the language distributions and versions.

__init__(*args, **kwargs)

macaron.slsa_analyzer.build_tool.maven module

This module contains the Maven class which inherits BaseBuildTool.

This module is used to work with repositories that use Maven build tool.

class macaron.slsa_analyzer.build_tool.maven.Maven

Bases: BaseBuildTool

This class contains the information of the Maven build tool.

__init__()

Initialize instance.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

validate_pom_file(config_path, group_id=None, artifact_id=None)

Validate a pom.xml file against an expected Maven G/A.

This method is intended to be used as a lightweight filter when multiple candidate configuration files (e.g., pom.xml) are discovered. If both group_id and artifact_id are provided, the method extracts the (groupId, artifactId, version) from the POM at config_path and returns True only when the extracted group/artifact match the expected values. If either group_id or artifact_id is not provided, the method returns True (no-op validation).

Parameters:

  • config_path (Path) – Path to the candidate configuration file (typically a pom.xml).

  • group_id (str or None, optional) – Expected Maven groupId. If None, no match can be performed.

  • artifact_id (str or None, optional) – Expected Maven artifactId. If None, validation is skipped.

Returns:

is_validTrue if validation inputs are missing, or when both group_id and artifact_id are provided and the POM at config_path contains matching values; otherwise False.

Return type:

bool

macaron.slsa_analyzer.build_tool.npm module

This module contains the NPM class which inherits BaseBuildTool.

This module is used to work with repositories that use npm/pnpm as its build tool.

class macaron.slsa_analyzer.build_tool.npm.NPM

Bases: BaseBuildTool

This class contains the information of the npm/pnpm build tool.

__init__()

Initialize instance.

Parameters:

  • name (str) – The name of this build tool.

  • language (BuildLanguage) – The name of the language used by the programs built by the build tool.

  • purl_type (str) – The type field of a PackageURL.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

is_deploy_command(cmd, excluded_configs=None, provenance_workflow=None)

Determine if the command is a deploy command.

A deploy command usually performs multiple tasks, such as compilation, packaging, and publishing the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

Return True along with the inferred confidence level if the command is a deploy tool command.

Return type:

tuple[bool, Confidence]

is_package_command(cmd, excluded_configs=None)

Determine if the command is a packaging command.

A packaging command usually performs multiple tasks, such as compilation and creating the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

Returns:

Return True along with the inferred confidence level if the command is a build tool command.

Return type:

tuple[bool, Confidence]

macaron.slsa_analyzer.build_tool.pip module

This module contains the Pip class which inherits BaseBuildTool.

This module is used to work with repositories that use pip for dependency management.

class macaron.slsa_analyzer.build_tool.pip.Pip

Bases: BaseBuildTool

This class contains the information of the pip build tool.

__init__()

Initialize instance.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

get_dep_analyzer()

Create a DependencyAnalyzer for the build tool.

Returns:

The DependencyAnalyzer object.

Return type:

DependencyAnalyzer

is_deploy_command(cmd, excluded_configs=None, provenance_workflow=None)

Determine if the command is a deploy command.

A deploy command usually performs multiple tasks, such as compilation, packaging, and publishing the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

Return True along with the inferred confidence level if the command is a deploy tool command.

Return type:

tuple[bool, Confidence]

is_package_command(cmd, excluded_configs=None)

Determine if the command is a packaging command.

A packaging command usually performs multiple tasks, such as compilation and creating the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

Returns:

Return True along with the inferred confidence level if the command is a build tool command.

Return type:

tuple[bool, Confidence]

macaron.slsa_analyzer.build_tool.poetry module

This module contains the Poetry class which inherits BaseBuildTool.

This module is used to work with repositories that use Poetry for dependency management.

class macaron.slsa_analyzer.build_tool.poetry.Poetry

Bases: BaseBuildTool

This class contains the information of the poetry build tool.

__init__()

Initialize instance.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

get_dep_analyzer()

Create a DependencyAnalyzer for the build tool.

Returns:

The DependencyAnalyzer object.

Return type:

DependencyAnalyzer

is_deploy_command(cmd, excluded_configs=None, provenance_workflow=None)

Determine if the command is a deploy command.

A deploy command usually performs multiple tasks, such as compilation, packaging, and publishing the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

Return True along with the inferred confidence level if the command is a deploy tool command.

Return type:

tuple[bool, Confidence]

is_package_command(cmd, excluded_configs=None)

Determine if the command is a packaging command.

A packaging command usually performs multiple tasks, such as compilation and creating the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

Returns:

Return True along with the inferred confidence level if the command is a build tool command.

Return type:

tuple[bool, Confidence]

macaron.slsa_analyzer.build_tool.pyproject module

This module provides analysis functions for a pyproject.toml file.

macaron.slsa_analyzer.build_tool.pyproject.get_content(pyproject_path)

Return the pyproject.toml content.

Parameters:

pyproject_path (Path) – The file path to the pyproject.toml file.

Returns:

The [build-system] section as a dict, or None otherwise.

Return type:

dict[str, Any] | None

macaron.slsa_analyzer.build_tool.pyproject.contains_build_tool(tool_name, pyproject_path)

Check if a given build tool is present in the [tool] section of a pyproject.toml file.

Parameters:

  • tool_name (str) – The name of the build tool to search for (e.g., ‘poetry’, ‘flit’).

  • pyproject_path (Path) – The file path to the pyproject.toml file.

Returns:

True if the build tool is found in the [tool] section, False otherwise.

Return type:

bool

macaron.slsa_analyzer.build_tool.pyproject.build_system_contains_tool(tool_name, pyproject_path)

Check if the [build-system] section lists the specified tool in ‘build-backend’ or ‘requires’ in pyproject.toml.

Parameters:

  • tool_name (str) – The tool or backend name to search for (e.g., ‘setuptools’, ‘poetry.masonry.api’, ‘flit_core.buildapi’).

  • pyproject_path (Path) – The file path to the pyproject.toml file.

Returns:

True if the tool is found in either the ‘build-backend’ or ‘requires’ of the [build-system] section, False otherwise.

Return type:

bool

macaron.slsa_analyzer.build_tool.pyproject.get_build_system(pyproject_path)

Return the [build-system] section in pyproject.toml if it exists.

Parameters:

pyproject_path (Path) – The file path to the pyproject.toml file.

Returns:

The [build-system] section as a dict, or None otherwise.

Return type:

dict[str, str] | None

macaron.slsa_analyzer.build_tool.yarn module

This module contains the Yarn class which inherits BaseBuildTool.

This module is used to work with repositories that use Yarn as its build tool.

class macaron.slsa_analyzer.build_tool.yarn.Yarn

Bases: BaseBuildTool

This class contains the information of the yarn build tool.

__init__()

Initialize instance.

Parameters:

  • name (str) – The name of this build tool.

  • language (BuildLanguage) – The name of the language used by the programs built by the build tool.

  • purl_type (str) – The type field of a PackageURL.

load_defaults()

Load the default values from defaults.ini.

Return type:

None

is_detected(target)

Return the list of build tools and their information used in the target repo.

Parameters:

target (Component) – The target software component.

Returns:

See BuildToolConfig in base_build_tool.py for field definitions.

Return type:

list[BuildToolConfig]

is_deploy_command(cmd, excluded_configs=None, provenance_workflow=None)

Determine if the command is a deploy command.

A deploy command usually performs multiple tasks, such as compilation, packaging, and publishing the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

  • provenance_workflow (str | None) – The relative path to the root CI file that is captured in a provenance or None if provenance is not found.

Returns:

Return True along with the inferred confidence level if the command is a deploy tool command.

Return type:

tuple[bool, Confidence]

is_package_command(cmd, excluded_configs=None)

Determine if the command is a packaging command.

A packaging command usually performs multiple tasks, such as compilation and creating the artifact. This function filters the build tool commands that are called from the configuration files provided as input.

Parameters:

  • cmd (BuildToolCommand) – The build tool command object.

  • excluded_configs (list[str] | None) – Build tool commands that are called from these configuration files are excluded.

Returns:

Return True along with the inferred confidence level if the command is a build tool command.

Return type:

tuple[bool, Confidence]