macaron.slsa_analyzer.specs package

Submodules

macaron.slsa_analyzer.specs.build_spec module

This module contains the BuildSpec class.

class macaron.slsa_analyzer.specs.build_spec.BuildInfo

Bases: TypedDict

This class contains the properties of a build process.

References

• https://github.com/jfrog/build-info

• https://reproducible-builds.org/docs/jvm/

status: bool

The status of the build.

build_log: str

The log of the build.

class macaron.slsa_analyzer.specs.build_spec.BuildSpec

Bases: TypedDict

This class contains the specs for building a Java artifact.

References

• https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/doc/BUILDSPEC.md

tools: list[BaseBuildTool]

The build tools used for building this artifact.

purl_tools: list[BaseBuildTool]

The build tools that match the software component PackageURL type.

macaron.slsa_analyzer.specs.ci_spec module

This module contains the BuildSpec class.

class macaron.slsa_analyzer.specs.ci_spec.CIInfo

Bases: TypedDict

This class contains the information gathered for a CI service.

service: BaseCIService

The CI service data.

callgraph: CallGraph

The call graph for this CI service.

provenance_assets: list[AssetLocator]

Release assets for provenances, e.g., asset for attestation.intoto.jsonl.

For GitHub Actions, each asset is a member of the assets list in the GitHub Actions appropriate release payload. See: https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#get-a-release-by-tag-name.

release: dict

The appropriate release. Schema: https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#get-a-release-by-tag-name

provenances: Sequence[DownloadedProvenanceData]

The provenances data.

macaron.slsa_analyzer.specs.inferred_provenance module

This module contains the inferred SLSA provenance spec.

class macaron.slsa_analyzer.specs.inferred_provenance.Provenance

Bases: object

This class implements the inferred SLSA provenance.

This inferred provenance implementation follows the SLSA v0.2 provenance schema. See https://slsa.dev/spec/v0.2/provenance

__init__()

Initialize instance.

macaron.slsa_analyzer.specs.package_registry_spec module

This module contains data related to one package registry that is matched against a repository.

class macaron.slsa_analyzer.specs.package_registry_spec.PackageRegistryInfo(build_tool, package_registry, provenances=<factory>, metadata=<factory>)

Bases: object

This class contains data for one package registry that is matched against a repository.

build_tool: BaseBuildTool

The build tool matched against the repository.

package_registry: PackageRegistry

The package registry matched against the repository. This is dependent on the build tool detected.

provenances: list[DownloadedProvenanceData]

The provenances matched against the current repo.

metadata: list[AssetLocator]

The metadata obtained by the registry.

__init__(build_tool, package_registry, provenances=<factory>, metadata=<factory>)