macaron.slsa_analyzer.provenance.witness package

Witness provenance (https://github.com/testifysec/witness).

class macaron.slsa_analyzer.provenance.witness.WitnessProvenanceData(asset: AssetLocator, payload: InTotoV01Payload | InTotoV1Payload)

Bases: NamedTuple

Data of a downloaded witness provenance.

asset: AssetLocator: The provenance asset.

payload: InTotoV01Payload | InTotoV1Payload: The provenance payload.

class macaron.slsa_analyzer.provenance.witness.WitnessVerifierConfig(predicate_types: set[str], artifact_extensions: set[str])

Bases: NamedTuple

Configuration for verifying witness provenances.

predicate_types: set[str]: A provenance payload is recognized by Macaron to be a witness provenance if its predicateType value is present within this set.

artifact_extensions: set[str]: A set of artifact extensions to verify. Artifacts having an extension outside this list are not verified.

macaron.slsa_analyzer.provenance.witness.load_witness_verifier_config()

Load configuration for verifying witness provenances.

Returns:: Configuration for verifying witness provenances.
Return type:: WitnessVerifierConfig

macaron.slsa_analyzer.provenance.witness.is_witness_provenance_payload(payload, predicate_types)

Check if the given provenance payload is a witness provenance payload.

Parameters:

payload (InTotoPayload) – The provenance payload.
predicate_types (set[str]) – The allowed values for the "predicateType" field of the provenance payload.

Returns:

True if the payload is a witness provenance payload, False otherwise.

Return type:

bool

macaron.slsa_analyzer.provenance.witness.extract_repo_url(witness_payload)

Extract the repo URL from the witness provenance payload.

Parameters:: witness_payload (InTotoPayload) – The witness provenance payload.
Returns:: The repo URL within the witness provenance payload, if the provenance payload can be processed and the repo URL is found.
Return type:: str | None

macaron.slsa_analyzer.provenance.witness.extract_build_artifacts_from_witness_subjects(witness_payload)

Extract subjects that are build artifacts from the "subject" field of the provenance.

Each artifact subject is assumed to have a sha256 digest. If a sha256 digest is not present for a subject, that subject is ignored.

Parameters:: witness_payload (InTotoPayload) – The witness provenance payload.
Returns:: A list subjects in the "subject" field of the provenance that are build artifacts.
Return type:: list[InTotoV01Subject]

Submodules

macaron.slsa_analyzer.provenance.witness.attestor module

Witness Attestors.

class macaron.slsa_analyzer.provenance.witness.attestor.RepoAttestor(*args, **kwargs)

Bases: Protocol

Interface for witness attestors that record repo URLs.

extract_repo_url(payload)

Extract the repo URL from a witness provenance payload.

Parameters:: payload (InTotoStatement) – The witness provenance payload.
Returns:: The repo URL, or None if it cannot be located in the provenance payload.
Return type:: str | None

__init__(*args, **kwargs)

class macaron.slsa_analyzer.provenance.witness.attestor.GitLabWitnessAttestor

Bases: object

Witness attestor for GitLab.

In the payload of a witness provenance, each subject corresponds to an attestor. Docs: https://github.com/testifysec/witness/blob/main/docs/attestors/gitlab.md

extract_repo_url(payload)

Extract the repo URL from a witness provenance payload.

Parameters:: payload (InTotoStatement) – The witness provenance payload.
Returns:: The repo URL, or None if it cannot be located in the provenance payload.
Return type:: str | None

extract_repo_url_intoto_v01(payload)

Extract the repo URL from a witness provenance payload following in-toto v0.1 schema.

Note: the current implementation inspects the predicate field of the payload to locate the repo URL. The schema of this field is currently undocumented by witness.

Parameters:: payload (InTotoV01Statement) – The in-toto v0.1 payload.
Returns:: The repo URL, or None if it cannot be located in the provenance payload.
Return type:: str | None