macaron.slsa_analyzer.provenance.intoto package

In-toto provenance schemas and validation.

class macaron.slsa_analyzer.provenance.intoto.InTotoV01Payload(statement: v01.InTotoV01Statement)

Bases: NamedTuple

The provenance payload following in-toto v0.1 schema.

The payload is a field within a DSSE envelope, having the type “Statement”.

In-toto spec (v0.1): - In-toto attestation layers: https://github.com/in-toto/attestation/tree/main/spec/v0.1.0#attestation-spec - Envelope layer: https://github.com/in-toto/attestation/tree/main/spec/v0.1.0#envelope - Statement layer: https://github.com/in-toto/attestation/tree/main/spec/v0.1.0#statement

statement: InTotoV01Statement

Alias for field number 0

class macaron.slsa_analyzer.provenance.intoto.InTotoV1Payload(statement: v1.InTotoV1Statement)

Bases: NamedTuple

The provenance payload following in-toto v1 schema.

The payload is a field within a DSSE envelope, having the type “Statement”.

In-toto spec (v1): - In-toto attestation layers: https://github.com/in-toto/attestation/tree/main/spec/v1#specification-for-in-toto-attestation-layers - Envelope layer: https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md - Statement layer: https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md

statement: InTotoV1Statement

Alias for field number 0

macaron.slsa_analyzer.provenance.intoto.validate_intoto_payload(payload)

Validate the schema of an in-toto provenance payload.

Parameters:

payload (dict[str, JsonType]) – The in-toto payload.

Returns:

The validated in-toto payload.

Return type:

InTotoPayload

Raises:

ValidateInTotoPayloadError – When there is an error validating the payload.

class macaron.slsa_analyzer.provenance.intoto.ProvenanceSubjectPURLMatcher(*args, **kwargs)

Bases: Protocol

Interface for a matcher that matches a PURL to a subject in the provenance.

static get_subject_in_provenance_matching_purl(provenance_payload, purl)

Obtain the subject in the provenance payload matching the given PackageURL.

This function assumes there is only one such subject. If there are multiple such subjects, the first matching subject is returned. However, this should not happen since the PackageURL should be specific enough to identify a single subject.

Parameters:
  • provenance_payload (InTotoPayload) – The provenance payload.

  • purl (PackageURL) – The PackageURL identifying the matching subject.

Returns:

The subject in the provenance matching the given PURL.

Return type:

InTotoV01Subject | InTotoV1ResourceDescriptor | None

__init__(*args, **kwargs)

Subpackages

Submodules

macaron.slsa_analyzer.provenance.intoto.errors module

Error types related to in-toto attestations.

exception macaron.slsa_analyzer.provenance.intoto.errors.InTotoAttestationError

Bases: MacaronError

The base error type for all in-toto related errors.

exception macaron.slsa_analyzer.provenance.intoto.errors.ValidateInTotoPayloadError

Bases: InTotoAttestationError

Happens when there is an issue validating an in-toto payload, usually against a schema.

exception macaron.slsa_analyzer.provenance.intoto.errors.UnsupportedInTotoVersionError

Bases: InTotoAttestationError

Happens when encountering a provenance under an unsupported in-toto version.

exception macaron.slsa_analyzer.provenance.intoto.errors.LoadIntotoAttestationError

Bases: InTotoAttestationError

Happens when there is an issue decoding and loading the payload of an in-toto provenance.