macaron.slsa_analyzer.provenance package

Subpackages

Submodules

macaron.slsa_analyzer.provenance.loader module

This module contains the loaders for SLSA provenances.

macaron.slsa_analyzer.provenance.loader.load_provenance_file(filepath)

Load a provenance file and obtain the payload.

Inside a provenance file is a DSSE envelope containing a base64-encoded provenance JSON payload. See: https://github.com/secure-systems-lab/dsse. If the file is gzipped, it will be transparently decompressed. If the file is a URL file (Windows .url file format, i.e. an ini file with a “URL” field inside an “InternetShortcut” section), it will be transparently downloaded.

Note: We have observed that GitHub provenances store the DSSE envelope using the dsseEnvelope property in the bundle. The bundle also includes Sigstore verification material, such as publicKey and x509CertificateChain. However, provenances generated by Witness and SLSA GitHub generator store the DSSE envelope content only. This function supports both types of provenances. See the Sigstore bundle schema, which is used in GitHub provenances: https://github.com/sigstore/protobuf-specs/blob/2bfc122984e8c30fc83f5892b2947af7d113b411/gen/jsonschema/schemas/Bundle.schema.json

Parameters:

filepath (str) – Path to the provenance file.

Returns:

The provenance JSON payload.

Return type:

dict[str, JsonType]

Raises:

LoadIntotoAttestationError – If there is an error loading the provenance JSON payload.

macaron.slsa_analyzer.provenance.loader.load_provenance_payload(filepath)

Load, verify, and construct an in-toto payload.

Parameters:

filepath (str) – Absolute path to the provenance file.

Returns:

The in-toto payload.

Return type:

InTotoPayload

Raises:

LoadIntotoAttestationError – If there is an error while loading and verifying the provenance payload.

macaron.slsa_analyzer.provenance.provenance module

This module defines classes and interfaces related to provenances.

class macaron.slsa_analyzer.provenance.provenance.DownloadedProvenanceData(*args, **kwargs)

Bases: Protocol

Interface of a provenance that has been downloaded (e.g. from a CI service or a package registry).

property asset: AssetLocator

Get the asset.

property payload: InTotoV01Payload | InTotoV1Payload

Get the JSON payload of the provenance, in in-toto format.

The payload is a field within a DSSE envelope, having the type “Statement”.

For more details, see the following pages in in-toto spec:

In-toto attestation layers: https://github.com/in-toto/attestation/tree/main/spec - v0.1: https://github.com/in-toto/attestation/tree/main/spec/v0.1.0#attestation-spec - v1 : https://github.com/in-toto/attestation/tree/main/spec/v1#specification-for-in-toto-attestation-layers Envelope layer: - v0.1: https://github.com/in-toto/attestation/tree/main/spec/v0.1.0#envelope - v1 : https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md Statement layer: - v0.1: https://github.com/in-toto/attestation/tree/main/spec/v0.1.0#statement - v1: https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md

__init__(*args, **kwargs)