macaron.slsa_analyzer.checks package
Import Checks for running and importing from other packages.
Submodules
macaron.slsa_analyzer.checks.base_check module
This module contains the BaseCheck class to be inherited by other concrete Checks.
- class macaron.slsa_analyzer.checks.base_check.BaseCheck(check_id='', description='', depends_on=None, eval_reqs=None, result_on_skip=CheckResultType.SKIPPED)
Bases:
object
This abstract class is used to implement Checks in Macaron.
- __init__(check_id='', description='', depends_on=None, eval_reqs=None, result_on_skip=CheckResultType.SKIPPED)
Initialize instance.
- Parameters:
check_id (str) – The id of the check.
description (str) – The description of the check.
depends_on (list[tuple[str, CheckResultType]] | None) – The list of parent checks that this check depends on. Each member of the list is a tuple of the parent’s id and the status of that parent check.
eval_reqs (list[ReqName] | None) – The list of SLSA requirements that this check addresses.
result_on_skip (CheckResultType) – The status for this check when it’s skipped based on another check’s result.
- property depends_on: list[tuple[str, CheckResultType]]
Get the list of parent checks that this check depends on.
Each member of the list is a tuple of the parent’s id and the status of that parent check.
- property result_on_skip: CheckResultType
Get the status for this check when it’s skipped based on another check’s result.
- run(target, skipped_info=None)
Run the check and return the results.
- Parameters:
target (AnalyzeContext) – The object containing processed data for the target repo.
skipped_info (SkippedInfo | None) – Determine whether the check is skipped.
- Returns:
The result of the check.
- Return type:
- abstract run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.build_as_code_check module
This module contains the BuildAsCodeCheck class.
- class macaron.slsa_analyzer.checks.build_as_code_check.BuildAsCodeFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in build_as_code check.
-
language_url:
Mapped
[str
|None
] The URL that provides information about the language distributions and versions.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
-
language_url:
- class macaron.slsa_analyzer.checks.build_as_code_check.BuildAsCodeCheck
Bases:
BaseCheck
This class checks the build as code requirement.
See https://slsa.dev/spec/v0.1/requirements#build-as-code.
- __init__()
Initiate the BuildAsCodeCheck instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.build_script_check module
This module contains the BuildScriptCheck class.
- class macaron.slsa_analyzer.checks.build_script_check.BuildScriptFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in build_script check.
-
language_url:
Mapped
[str
|None
] The URL that provides information about the language distribution and version.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
-
language_url:
- class macaron.slsa_analyzer.checks.build_script_check.BuildScriptCheck
Bases:
BaseCheck
This Check checks whether the target repo has a valid build script.
- __init__()
Initiate the BuildScriptCheck instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.build_service_check module
This module contains the BuildServiceCheck class.
- class macaron.slsa_analyzer.checks.build_service_check.BuildServiceFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in build_service check.
-
language_url:
Mapped
[str
|None
] The URL that provides information about the language distribution and version.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
-
language_url:
- class macaron.slsa_analyzer.checks.build_service_check.BuildServiceCheck
Bases:
BaseCheck
This Check checks whether the target repo has a valid build service.
- __init__()
Initiate the BuildServiceCheck instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.check_result module
This module contains the CheckResult class for storing the result of a check.
- class macaron.slsa_analyzer.checks.check_result.CheckResultType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)
-
This class contains the types of a check result.
- PASSED = 'PASSED'
- FAILED = 'FAILED'
- SKIPPED = 'SKIPPED'
- DISABLED = 'DISABLED'
- UNKNOWN = 'UNKNOWN'
- class macaron.slsa_analyzer.checks.check_result.Evidence(name, found, weight)
Bases:
object
The class representing an evidence generated by a check.
- __init__(name, found, weight)
- class macaron.slsa_analyzer.checks.check_result.EvidenceWeightMap(evidence_list)
Bases:
object
This class creates a map object for collected evidence.
- __init__(evidence_list)
Initialize the class.
- add(evidence)
Add an evidence to the map.
- update_result(name, found)
Update the result if an evidence is found.
- get_max_score()
Get the maximum possible score in this map.
- Returns:
The maximum possible score or zero if the map is empty.
- Return type:
- class macaron.slsa_analyzer.checks.check_result.Confidence(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)
-
This class contains confidence score for a check result.
The scores must be in the range [0.0, 1.0].
- HIGH = 1.0
A high confidence score.
- MEDIUM = 0.7
A medium confidence score.
- LOW = 0.4
A low confidence score.
- classmethod normalize(evidence_weight_map)
Normalize the score based on the provided evidence weight map.
The values in the evidence weight map are expected to be positive. Expect invalid results if negative weights are passed to this function.
- Parameters:
evidence_weight_map (EvidenceWeightMap) – The map that contains the detected evidence and their corresponding weight.
- Return type:
- class macaron.slsa_analyzer.checks.check_result.JustificationType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)
-
This class contains the type of a justification that will be used in creating the HTML report.
- TEXT = 'text'
If a justification has a text type, it will be added as a plain text.
- HREF = 'href'
If a justification has a href type, it will be added as a hyperlink.
- class macaron.slsa_analyzer.checks.check_result.CheckInfo(check_id, check_description, eval_reqs)
Bases:
object
This class identifies and describes a check.
- __init__(check_id, check_description, eval_reqs)
- class macaron.slsa_analyzer.checks.check_result.CheckResultData(result_tables, result_type)
Bases:
object
This class stores the result of a check.
-
result_tables:
list
[CheckFacts
] List of result tables produced by the check.
-
result_type:
CheckResultType
Result type of the check (e.g. PASSED).
- property justification_report: list[tuple[Confidence, list]]
Return a sorted list of justifications based on confidence scores in descending order.
These justifications are generated from the tables in the database. Note that the elements in the justification will be rendered differently based on their types:
a
JustificationType.TEXT
element is displayed in plain text in the HTML report.a
JustificationType.HREF
element is rendered as a hyperlink in the HTML report.
- Return type:
list[tuple[Confidence, list]]
- __init__(result_tables, result_type)
-
result_tables:
- class macaron.slsa_analyzer.checks.check_result.CheckResult(check, result)
Bases:
object
This class stores the result of a check, including the description of the check that produced it.
-
result:
CheckResultData
The results produced by the check.
- get_summary()
Get a flattened dictionary representation for this CheckResult, in a format suitable for the output report.
The SLSA requirements, in particular, are translated into a list of their textual descriptions, to be suitable for display to users in the output report (as opposed to the internal representation as a list of enum identifiers).
- Return type:
- __init__(check, result)
-
result:
- class macaron.slsa_analyzer.checks.check_result.SkippedInfo
Bases:
TypedDict
This class stores the information about a skipped check.
- macaron.slsa_analyzer.checks.check_result.get_result_as_bool(check_result_type)
Return the CheckResultType as bool.
This method returns True only if the result type is PASSED else it returns False.
- Parameters:
check_result_type (CheckResultType) – The check result type to return the bool value.
- Return type:
macaron.slsa_analyzer.checks.detect_malicious_metadata_check module
This check examines the metadata of pypi packages with seven heuristics.
- class macaron.slsa_analyzer.checks.detect_malicious_metadata_check.MaliciousMetadataFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in pypi heuristic check.
-
detail_information:
Mapped
[dict
[str
,int
|float
|str
|None
|bool
|list
[JsonType] |dict
[str
, JsonType]]] Detailed information about the analysis.
-
result:
Mapped
[dict
[Heuristics
,HeuristicResult
]] The result of analysis, which is of dict[Heuristics, HeuristicResult] type.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
-
detail_information:
- class macaron.slsa_analyzer.checks.detect_malicious_metadata_check.DetectMaliciousMetadataCheck
Bases:
BaseCheck
This check analyzes the metadata of a package for malicious behavior.
- __init__()
Initialize a check instance.
- run_heuristics(pypi_package_json)
Run the analysis heuristics.
- Parameters:
pypi_package_json (PyPIPackageJsonAsset) – The PyPI package JSON asset object.
- Returns:
Containing the analysis results and relevant metadata.
- Return type:
tuple[dict[Heuristics, HeuristicResult], dict[str, JsonType]]
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.infer_artifact_pipeline_check module
This module contains the InferArtifactPipelineCheck class to check if an artifact is published from a pipeline automatically.
- class macaron.slsa_analyzer.checks.infer_artifact_pipeline_check.InferArtifactPipelineFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications of the infer_artifact_pipeline check.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
- class macaron.slsa_analyzer.checks.infer_artifact_pipeline_check.InferArtifactPipelineCheck
Bases:
BaseCheck
This check detects a potential pipeline from which an artifact is published.
When a verifiable provenance is found for an artifact, the result of this check can be discarded. Otherwise, we check whether a CI workflow run has automatically published the artifact.
We use several heuristics in this check:
The workflow run should have started before the artifact is published.
The workflow step that calls a deploy command should have run successfully.
The workflow step that calls a deploy command should have started before the artifact is published.
Note: due to a limitation, we cannot specify the provenance checks as parents of this check because a check cannot have more than one parent in the current design. It would be good to skip this with a success result if the relevant provenance checks pass in the future.
- __init__()
Initialize the InferArtifactPipeline instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result type of the check.
- Return type:
macaron.slsa_analyzer.checks.provenance_available_check module
This module contains the implementation of the Provenance Available check.
- exception macaron.slsa_analyzer.checks.provenance_available_check.ProvenanceAvailableException
Bases:
MacaronError
When there is an error while checking if a provenance is available.
- class macaron.slsa_analyzer.checks.provenance_available_check.ProvenanceAvailableFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in provenance_available check.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
- class macaron.slsa_analyzer.checks.provenance_available_check.ProvenanceAvailableCheck
Bases:
BaseCheck
This Check checks whether the target repo has in-toto provenance.
- __init__()
Initialize instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.provenance_commit_check module
This module adds a check that determines whether the repository URL came from provenance.
- class macaron.slsa_analyzer.checks.provenance_commit_check.ProvenanceDerivedCommitFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in the commit from provenance check.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
- class macaron.slsa_analyzer.checks.provenance_commit_check.ProvenanceDerivedCommitCheck
Bases:
BaseCheck
This check tries to extract the repo from the provenance and compare it to what is in the context.
- __init__()
Initialize instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.provenance_l3_check module
This module implements a check to verify a target repo has intoto provenance level 3.
- class macaron.slsa_analyzer.checks.provenance_l3_check.ProvenanceL3VerifiedFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in provenance_l3 check.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
- class macaron.slsa_analyzer.checks.provenance_l3_check.ProvenanceL3Check
Bases:
BaseCheck
This Check checks whether the target repo has SLSA provenance level 3.
- __init__()
Initialize instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.provenance_l3_content_check module
This module checks if a SLSA provenance conforms to a given expectation.
- class macaron.slsa_analyzer.checks.provenance_l3_content_check.ProvenanceL3ContentCheck
Bases:
BaseCheck
This check compares a SLSA provenance with a given expectation and checks whether they match.
- __init__()
Initialize instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.provenance_repo_check module
This module adds a check that determines whether the repository URL came from provenance.
- class macaron.slsa_analyzer.checks.provenance_repo_check.ProvenanceDerivedRepoFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in the repository from provenance check.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
- class macaron.slsa_analyzer.checks.provenance_repo_check.ProvenanceDerivedRepoCheck
Bases:
BaseCheck
This check tries to extract the repo from the provenance and compare it to what is in the context.
- __init__()
Initialize instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.provenance_verified_check module
This module adds a Check that checks whether the provenance is verified.
- class macaron.slsa_analyzer.checks.provenance_verified_check.ProvenanceVerifiedFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in the provenance verified check.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
- class macaron.slsa_analyzer.checks.provenance_verified_check.ProvenanceVerifiedCheck
Bases:
BaseCheck
This Check checks whether the provenance is flagged as verified in the context.
- __init__()
Initialize instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.provenance_witness_l1_check module
This check examines a witness provenance (https://github.com/testifysec/witness).
- exception macaron.slsa_analyzer.checks.provenance_witness_l1_check.WitnessProvenanceException
Bases:
MacaronError
When there is an error while processing a Witness provenance.
- class macaron.slsa_analyzer.checks.provenance_witness_l1_check.WitnessProvenanceAvailableFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in provenance l3 check.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
- macaron.slsa_analyzer.checks.provenance_witness_l1_check.verify_artifact_assets(artifact_assets, subjects)
Verify artifact assets against subjects in the witness provenance payload.
- Parameters:
artifact_assets (list[JFrogMavenAsset]) – List of artifact assets to verify.
subjects (list[InTotoV01Subject]) – List of subjects extracted from the in the witness provenance.
- Returns:
True if verification succeeds and False otherwise.
- Return type:
- Raises:
WitnessProvenanceException – If a subject is not a file attested by the Witness product attestor.
- class macaron.slsa_analyzer.checks.provenance_witness_l1_check.ProvenanceWitnessL1Check
Bases:
BaseCheck
This check examines a Witness provenance (https://github.com/testifysec/witness).
At the moment, we are only checking the actual digests of the artifacts against the digests in the provenance.
- __init__()
Initialize a check instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.trusted_builder_l3_check module
This module contains the TrustedBuilderL3Check class.
- class macaron.slsa_analyzer.checks.trusted_builder_l3_check.TrustedBuilderFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in trusted_builder.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
- class macaron.slsa_analyzer.checks.trusted_builder_l3_check.TrustedBuilderL3Check
Bases:
BaseCheck
This Check checks whether the target repo uses level 3 builders.
- __init__()
Initialize instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type:
macaron.slsa_analyzer.checks.vcs_check module
This module contains the implementation of the VCS check.
- class macaron.slsa_analyzer.checks.vcs_check.VCSFacts(**kwargs)
Bases:
CheckFacts
The ORM mapping for justifications in the vcs check.
- __init__(**kwargs)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- check_result_id: Mapped[int]
The foreign key to the check result.
- check_type: Mapped[str]
The column used as a mapper argument for distinguishing checks in polymorphic inheritance.
- checkresult: Mapped['MappedCheckResult']
A many-to-one relationship with check results.
- component: Mapped['Component']
A many-to-one relationship with software components.
- component_id: Mapped[int]
The foreign key to the software component.
- confidence: Mapped[float]
The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.
- class macaron.slsa_analyzer.checks.vcs_check.VCSCheck
Bases:
BaseCheck
This Check checks whether the target repo uses a version control system.
- __init__()
Initialize instance.
- run_check(ctx)
Implement the check in this method.
- Parameters:
ctx (AnalyzeContext) – The object containing processed data for the target repo.
- Returns:
The result of the check.
- Return type: