chore: rename repo_verification_check to scm_authenticity_check

Signed-off-by: Mohammad Abdollahpour <[email protected]>

docs/source/index.rst

@@ -89,9 +89,9 @@ the requirements that are currently supported by Macaron.
    * - ``mcn_provenance_derived_commit_1``
      - **Provenance derived commit** - Check if the analysis target's commit matches the commit in the provenance.
      - If there is no commit, this check will fail.
-   * - ``mcn_repo_verification_1``
-     - **Source version controlled** - Check if every change to the source is tracked in a version control system.
-     - If the claimed source repository provenance made by a package is not verified, this check will fail. If no claim of a source repository could be found or the build system is not supported, the result of the check will be "unknown".
+   * - ``mcn_scm_authenticity_check_1``
+     - **Source repo authenticity** - Check whether the claims of a source repository provenance made by a package can be corroborated.
+     - If the source code repository contains conflicting evidence regarding its claim of provenance, this check will fail. If no source repository or corroborating evidence is found, or if the build system is unsupported, the check will return UNKNOWN as the result. This check currently supports only Maven artifacts.
 
 ****************************************************************************************
 Macaron checks that report integrity issues but do not map to SLSA requirements directly

docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst

@@ -121,10 +121,10 @@ macaron.slsa\_analyzer.checks.provenance\_witness\_l1\_check module
    :undoc-members:
    :show-inheritance:
 
-macaron.slsa\_analyzer.checks.repo\_verification\_check module
---------------------------------------------------------------
+macaron.slsa\_analyzer.checks.scm\_authenticity\_check module
+-------------------------------------------------------------
 
-.. automodule:: macaron.slsa_analyzer.checks.repo_verification_check
+.. automodule:: macaron.slsa_analyzer.checks.scm_authenticity_check
    :members:
    :undoc-members:
    :show-inheritance:

src/macaron/slsa_analyzer/checks/repo_verification_check.py → src/macaron/slsa_analyzer/checks/scm_authenticity_check.py

@@ -19,10 +19,10 @@
 logger: logging.Logger = logging.getLogger(__name__)
 
 
-class RepoVerificationFacts(CheckFacts):
-    """The ORM mapping for justifications in repo verification check."""
+class ScmAuthenticityFacts(CheckFacts):
+    """The ORM mapping for justifications in scm authenticity check."""
 
-    __tablename__ = "_repo_verification_check"
+    __tablename__ = "_scm_authenticity_check"
 
     #: The primary key.
     id: Mapped[int] = mapped_column(ForeignKey("_check_facts.id"), primary_key=True)  # noqa: A003
@@ -50,19 +50,19 @@ class RepoVerificationFacts(CheckFacts):
     build_tool: Mapped[str] = mapped_column(String, nullable=False, info={"justification": JustificationType.TEXT})
 
     __mapper_args__ = {
-        "polymorphic_identity": "_repo_verification_check",
+        "polymorphic_identity": __tablename__,
     }
 
 
-class RepoVerificationCheck(BaseCheck):
-    """Check whether the claims of a source repository provenance made by a package can be independently verified."""
+class ScmAuthenticityCheck(BaseCheck):
+    """Check whether the claims of a source repository provenance made by a package can be corroborated."""
 
     def __init__(self) -> None:
         """Initialize a check instance."""
-        check_id = "mcn_repo_verification_1"
+        check_id = "mcn_scm_authenticity_1"
         description = (
             "Check whether the claims of a source repository provenance"
-            " made by a package can be independently verified."
+            " made by a package can be corroborated."
             " At this moment, this check only supports Maven packages"
             " and returns UNKNOWN for others."
         )
@@ -106,7 +106,7 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         result_tables: list[CheckFacts] = []
         for verification_result in ctx.dynamic_data.get("repo_verification", []):
             result_tables.append(
-                RepoVerificationFacts(
+                ScmAuthenticityFacts(
                     repo_link=repo_link,
                     reason=verification_result.reason,
                     status=verification_result.status.value,
@@ -126,4 +126,4 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         return CheckResultData(result_tables=result_tables, result_type=result_type)
 
 
-registry.register(RepoVerificationCheck())
+registry.register(ScmAuthenticityCheck())

tests/integration/cases/repo_verification/config.ini → tests/integration/cases/scm_authenticity/config.ini

@@ -3,4 +3,4 @@
 
 [analysis.checks]
 exclude =
-include = mcn_repo_verification_1
+include = mcn_scm_authenticity_1

tests/integration/cases/repo_verification/policy_fail_1.dl → tests/integration/cases/scm_authenticity/policy_fail_1.dl

@@ -4,7 +4,7 @@
 #include "prelude.dl"
 
 Policy("test_policy", component_id, "") :-
-    check_failed(component_id, "mcn_repo_verification_1").
+    check_failed(component_id, "mcn_scm_authenticity_1").
 
 apply_policy_to("test_policy", component_id) :-
     is_component(component_id, "pkg:maven/com.alibaba.ververica/[email protected]").

tests/integration/cases/repo_verification/policy_pass_1.dl → tests/integration/cases/scm_authenticity/policy_pass_1.dl

@@ -4,7 +4,7 @@
 #include "prelude.dl"
 
 Policy("test_policy", component_id, "") :-
-    check_passed(component_id, "mcn_repo_verification_1").
+    check_passed(component_id, "mcn_scm_authenticity_1").
 
 apply_policy_to("test_policy", component_id) :-
     is_component(component_id, "pkg:maven/org.antlr/[email protected]").

tests/integration/cases/repo_verification/policy_pass_2.dl → tests/integration/cases/scm_authenticity/policy_pass_2.dl

@@ -4,7 +4,7 @@
 #include "prelude.dl"
 
 Policy("test_policy", component_id, "") :-
-    check_passed(component_id, "mcn_repo_verification_1").
+    check_passed(component_id, "mcn_scm_authenticity_1").
 
 apply_policy_to("test_policy", component_id) :-
     is_component(component_id, "pkg:maven/org.neo4j/[email protected]").

tests/integration/cases/repo_verification/test.yaml → tests/integration/cases/scm_authenticity/test.yaml

@@ -2,7 +2,7 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 description: |
-  Integration tests for mcn_repo_verification_1 check.
+  Integration tests for mcn_scm_authenticity_1 check.
 
 tags:
 - macaron-python-package

tests/slsa_analyzer/checks/test_repo_verification_check.py

@@ -8,7 +8,7 @@
 from macaron.repo_verifier.repo_verifier_base import RepositoryVerificationResult, RepositoryVerificationStatus
 from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool
 from macaron.slsa_analyzer.checks.check_result import CheckResultType
-from macaron.slsa_analyzer.checks.repo_verification_check import RepoVerificationCheck
+from macaron.slsa_analyzer.checks.scm_authenticity_check import ScmAuthenticityCheck
 from macaron.slsa_analyzer.package_registry import PyPIRegistry
 from macaron.slsa_analyzer.package_registry.maven_central_registry import MavenCentralRegistry
 from macaron.slsa_analyzer.specs.package_registry_spec import PackageRegistryInfo
@@ -19,7 +19,7 @@
 
 def test_repo_verification_pass(maven_tool: BaseBuildTool, macaron_path: Path) -> None:
     """Test that the check passes when the repository is verified."""
-    check = RepoVerificationCheck()
+    check = ScmAuthenticityCheck()
 
     ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="", purl="pkg:maven/test/test")
     maven_registry = MavenCentralRegistry()
@@ -37,7 +37,7 @@ def test_repo_verification_pass(maven_tool: BaseBuildTool, macaron_path: Path) -
 
 def test_repo_verification_fail(maven_tool: BaseBuildTool, macaron_path: Path) -> None:
     """Test that the check fails when the repository verification is failed."""
-    check = RepoVerificationCheck()
+    check = ScmAuthenticityCheck()
 
     ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="", purl="pkg:maven/test/test")
     maven_registry = MavenCentralRegistry()
@@ -53,9 +53,9 @@ def test_repo_verification_fail(maven_tool: BaseBuildTool, macaron_path: Path) -
     assert check.run_check(ctx).result_type == CheckResultType.FAILED
 
 
-def test_repo_verification_unknown_for_unknown_repo_verification(maven_tool: BaseBuildTool, macaron_path: Path) -> None:
+def test_check_unknown_for_unknown_repo_verification(maven_tool: BaseBuildTool, macaron_path: Path) -> None:
     """Test that the check returns unknown when the repository verification is unknown."""
-    check = RepoVerificationCheck()
+    check = ScmAuthenticityCheck()
 
     ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="", purl="pkg:maven/test/test")
     maven_registry = MavenCentralRegistry()
@@ -71,9 +71,9 @@ def test_repo_verification_unknown_for_unknown_repo_verification(maven_tool: Bas
     assert check.run_check(ctx).result_type == CheckResultType.UNKNOWN
 
 
-def test_repo_verification_unknown_for_unsupported_build_tools(pip_tool: BaseBuildTool, macaron_path: Path) -> None:
+def test_check_unknown_for_unsupported_build_tools(pip_tool: BaseBuildTool, macaron_path: Path) -> None:
     """Test that the check returns unknown for unsupported build tools."""
-    check = RepoVerificationCheck()
+    check = ScmAuthenticityCheck()
 
     ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="", purl="pkg:pypi/test/test")
     pypi_registry = PyPIRegistry()