macaron.slsa_analyzer.provenance.expectations.cue package

This module provides CUE expectation implementations.

A CUE expectation is constructed from an input file in CUE language provided to Macaron to check the content of a provenance.

To know more about the CUE language, see https://cuelang.org/

class macaron.slsa_analyzer.provenance.expectations.cue.CUEExpectation(*args, **kwargs)

Bases: Expectation

ORM Class for an expectation.

id: Mapped[int]

The primary key, which is also a foreign key to the base check table.

classmethod make_expectation(expectation_path)

Construct a CUE expectation from a CUE file.

Note: we require the CUE expectation file to have a “target” field.

Parameters:

expectation_path (str) – The path to the expectation file.

Returns:

The instantiated expectation object.

Return type:

Self

__init__(*args, **kwargs)

Create an instance provenance expectation.

asset_url: Mapped[str]

The URL for the provenance asset that the expectation is verified against.

check_result_id: Mapped[int]

The foreign key to the check result.

check_type: Mapped[str]

The column used as a mapper argument for distinguishing checks in polymorphic inheritance.

checkresult: Mapped['MappedCheckResult']

A many-to-one relationship with check results.

component: Mapped['Component']

A many-to-one relationship with software components.

component_id: Mapped[int]

The foreign key to the software component.

confidence: Mapped[float]

The confidence score to estimate the accuracy of the check fact. This value should be in the range [0.0, 1.0] with a lower value depicting a lower confidence. Because some analyses used in checks may use heuristics, the results can be inaccurate in certain cases. We use the confidence score to enable the check designer to assign a confidence estimate. This confidence is stored in the database to be used by the policy. This confidence score is also used to decide which evidence should be shown to the user in the HTML/JSON report.

description: Mapped[str]

The description.

expectation_type: Mapped[str]

The kind of expectation, e.g., CUE.

path: Mapped[str]

The path to the expectation file.

sha: Mapped[str]

The sha256sum digest of the expectation.

target: Mapped[str]

The full repository name this expectation applies to.

text: Mapped[str]

The full text content of the expectation.

Submodules

macaron.slsa_analyzer.provenance.expectations.cue.cue_validator module

The cue module invokes the CUE schema validator.

macaron.slsa_analyzer.provenance.expectations.cue.cue_validator.get_target(expectation)

Get the analysis target of the expectation.

Parameters:

expectation (str | None) – The cue expectation content.

Returns:

The analysis target identifier. Returns an empty string if no target found.

Return type:

str

Raises:

CUERuntimeError, CUEExpectationError – If expectation is invalid or unable to get the target by invoking the shared library.

macaron.slsa_analyzer.provenance.expectations.cue.cue_validator.validate_expectation(expectation, prov)

Validate a json document against a cue expectation.

Parameters:

  • expectation (str | None) – The cue expectation content.

  • prov (JsonType) – The provenance payload.

Returns:

Return true if expectation is validated.

Return type:

bool

Raises:

CUERuntimeError, CUEExpectationError – If expectation is invalid or unable to validate the expectation by invoking the shared library.