diff --git a/docs/source/index.rst b/docs/source/index.rst index 0182cf670..0bf51502b 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -89,9 +89,9 @@ the requirements that are currently supported by Macaron. * - ``mcn_provenance_derived_commit_1`` - **Provenance derived commit** - Check if the analysis target's commit matches the commit in the provenance. - If there is no commit, this check will fail. - * - ``mcn_repo_verification_1`` - - **Source version controlled** - Check if every change to the source is tracked in a version control system. - - If the claimed source repository provenance made by a package is not verified, this check will fail. If no claim of a source repository could be found or the build system is not supported, the result of the check will be "unknown". + * - ``mcn_scm_authenticity_check_1`` + - **Source repo authenticity** - Check whether the claims of a source repository provenance made by a package can be corroborated. + - If the source code repository contains conflicting evidence regarding its claim of provenance, this check will fail. If no source repository or corroborating evidence is found, or if the build system is unsupported, the check will return UNKNOWN as the result. This check currently supports only Maven artifacts. **************************************************************************************** Macaron checks that report integrity issues but do not map to SLSA requirements directly diff --git a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst index 0c2966bfd..8592e1d5f 100644 --- a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst +++ b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst @@ -121,10 +121,10 @@ macaron.slsa\_analyzer.checks.provenance\_witness\_l1\_check module :undoc-members: :show-inheritance: -macaron.slsa\_analyzer.checks.repo\_verification\_check module --------------------------------------------------------------- +macaron.slsa\_analyzer.checks.scm\_authenticity\_check module +------------------------------------------------------------- -.. automodule:: macaron.slsa_analyzer.checks.repo_verification_check +.. automodule:: macaron.slsa_analyzer.checks.scm_authenticity_check :members: :undoc-members: :show-inheritance: diff --git a/src/macaron/slsa_analyzer/checks/repo_verification_check.py b/src/macaron/slsa_analyzer/checks/scm_authenticity_check.py similarity index 90% rename from src/macaron/slsa_analyzer/checks/repo_verification_check.py rename to src/macaron/slsa_analyzer/checks/scm_authenticity_check.py index a7463bc6e..b53ed851f 100644 --- a/src/macaron/slsa_analyzer/checks/repo_verification_check.py +++ b/src/macaron/slsa_analyzer/checks/scm_authenticity_check.py @@ -19,10 +19,10 @@ logger: logging.Logger = logging.getLogger(__name__) -class RepoVerificationFacts(CheckFacts): - """The ORM mapping for justifications in repo verification check.""" +class ScmAuthenticityFacts(CheckFacts): + """The ORM mapping for justifications in scm authenticity check.""" - __tablename__ = "_repo_verification_check" + __tablename__ = "_scm_authenticity_check" #: The primary key. id: Mapped[int] = mapped_column(ForeignKey("_check_facts.id"), primary_key=True) # noqa: A003 @@ -50,19 +50,19 @@ class RepoVerificationFacts(CheckFacts): build_tool: Mapped[str] = mapped_column(String, nullable=False, info={"justification": JustificationType.TEXT}) __mapper_args__ = { - "polymorphic_identity": "_repo_verification_check", + "polymorphic_identity": __tablename__, } -class RepoVerificationCheck(BaseCheck): - """Check whether the claims of a source repository provenance made by a package can be independently verified.""" +class ScmAuthenticityCheck(BaseCheck): + """Check whether the claims of a source repository provenance made by a package can be corroborated.""" def __init__(self) -> None: """Initialize a check instance.""" - check_id = "mcn_repo_verification_1" + check_id = "mcn_scm_authenticity_1" description = ( "Check whether the claims of a source repository provenance" - " made by a package can be independently verified." + " made by a package can be corroborated." " At this moment, this check only supports Maven packages" " and returns UNKNOWN for others." ) @@ -106,7 +106,7 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData: result_tables: list[CheckFacts] = [] for verification_result in ctx.dynamic_data.get("repo_verification", []): result_tables.append( - RepoVerificationFacts( + ScmAuthenticityFacts( repo_link=repo_link, reason=verification_result.reason, status=verification_result.status.value, @@ -126,4 +126,4 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData: return CheckResultData(result_tables=result_tables, result_type=result_type) -registry.register(RepoVerificationCheck()) +registry.register(ScmAuthenticityCheck()) diff --git a/tests/integration/cases/repo_verification/config.ini b/tests/integration/cases/scm_authenticity/config.ini similarity index 86% rename from tests/integration/cases/repo_verification/config.ini rename to tests/integration/cases/scm_authenticity/config.ini index d0ad28612..de14988d8 100644 --- a/tests/integration/cases/repo_verification/config.ini +++ b/tests/integration/cases/scm_authenticity/config.ini @@ -3,4 +3,4 @@ [analysis.checks] exclude = -include = mcn_repo_verification_1 +include = mcn_scm_authenticity_1 diff --git a/tests/integration/cases/repo_verification/policy_fail_1.dl b/tests/integration/cases/scm_authenticity/policy_fail_1.dl similarity index 87% rename from tests/integration/cases/repo_verification/policy_fail_1.dl rename to tests/integration/cases/scm_authenticity/policy_fail_1.dl index f4a1e5aab..e594c7a2d 100644 --- a/tests/integration/cases/repo_verification/policy_fail_1.dl +++ b/tests/integration/cases/scm_authenticity/policy_fail_1.dl @@ -4,7 +4,7 @@ #include "prelude.dl" Policy("test_policy", component_id, "") :- - check_failed(component_id, "mcn_repo_verification_1"). + check_failed(component_id, "mcn_scm_authenticity_1"). apply_policy_to("test_policy", component_id) :- is_component(component_id, "pkg:maven/com.alibaba.ververica/flink-cep@1.17-vvr-8.0.8"). diff --git a/tests/integration/cases/repo_verification/policy_pass_1.dl b/tests/integration/cases/scm_authenticity/policy_pass_1.dl similarity index 86% rename from tests/integration/cases/repo_verification/policy_pass_1.dl rename to tests/integration/cases/scm_authenticity/policy_pass_1.dl index 60a32e351..2e0bbce57 100644 --- a/tests/integration/cases/repo_verification/policy_pass_1.dl +++ b/tests/integration/cases/scm_authenticity/policy_pass_1.dl @@ -4,7 +4,7 @@ #include "prelude.dl" Policy("test_policy", component_id, "") :- - check_passed(component_id, "mcn_repo_verification_1"). + check_passed(component_id, "mcn_scm_authenticity_1"). apply_policy_to("test_policy", component_id) :- is_component(component_id, "pkg:maven/org.antlr/antlr4-maven-plugin@4.13.2"). diff --git a/tests/integration/cases/repo_verification/policy_pass_2.dl b/tests/integration/cases/scm_authenticity/policy_pass_2.dl similarity index 86% rename from tests/integration/cases/repo_verification/policy_pass_2.dl rename to tests/integration/cases/scm_authenticity/policy_pass_2.dl index 6e0d527ad..8a9bb928a 100644 --- a/tests/integration/cases/repo_verification/policy_pass_2.dl +++ b/tests/integration/cases/scm_authenticity/policy_pass_2.dl @@ -4,7 +4,7 @@ #include "prelude.dl" Policy("test_policy", component_id, "") :- - check_passed(component_id, "mcn_repo_verification_1"). + check_passed(component_id, "mcn_scm_authenticity_1"). apply_policy_to("test_policy", component_id) :- is_component(component_id, "pkg:maven/org.neo4j/cypher-parser-common@5.21.2"). diff --git a/tests/integration/cases/repo_verification/test.yaml b/tests/integration/cases/scm_authenticity/test.yaml similarity index 95% rename from tests/integration/cases/repo_verification/test.yaml rename to tests/integration/cases/scm_authenticity/test.yaml index 32409ea56..9868f0980 100644 --- a/tests/integration/cases/repo_verification/test.yaml +++ b/tests/integration/cases/scm_authenticity/test.yaml @@ -2,7 +2,7 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. description: | - Integration tests for mcn_repo_verification_1 check. + Integration tests for mcn_scm_authenticity_1 check. tags: - macaron-python-package diff --git a/tests/slsa_analyzer/checks/test_repo_verification_check.py b/tests/slsa_analyzer/checks/test_repo_verification_check.py index f5473cf5c..f0f3dd923 100644 --- a/tests/slsa_analyzer/checks/test_repo_verification_check.py +++ b/tests/slsa_analyzer/checks/test_repo_verification_check.py @@ -8,7 +8,7 @@ from macaron.repo_verifier.repo_verifier_base import RepositoryVerificationResult, RepositoryVerificationStatus from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool from macaron.slsa_analyzer.checks.check_result import CheckResultType -from macaron.slsa_analyzer.checks.repo_verification_check import RepoVerificationCheck +from macaron.slsa_analyzer.checks.scm_authenticity_check import ScmAuthenticityCheck from macaron.slsa_analyzer.package_registry import PyPIRegistry from macaron.slsa_analyzer.package_registry.maven_central_registry import MavenCentralRegistry from macaron.slsa_analyzer.specs.package_registry_spec import PackageRegistryInfo @@ -19,7 +19,7 @@ def test_repo_verification_pass(maven_tool: BaseBuildTool, macaron_path: Path) -> None: """Test that the check passes when the repository is verified.""" - check = RepoVerificationCheck() + check = ScmAuthenticityCheck() ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="", purl="pkg:maven/test/test") maven_registry = MavenCentralRegistry() @@ -37,7 +37,7 @@ def test_repo_verification_pass(maven_tool: BaseBuildTool, macaron_path: Path) - def test_repo_verification_fail(maven_tool: BaseBuildTool, macaron_path: Path) -> None: """Test that the check fails when the repository verification is failed.""" - check = RepoVerificationCheck() + check = ScmAuthenticityCheck() ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="", purl="pkg:maven/test/test") maven_registry = MavenCentralRegistry() @@ -53,9 +53,9 @@ def test_repo_verification_fail(maven_tool: BaseBuildTool, macaron_path: Path) - assert check.run_check(ctx).result_type == CheckResultType.FAILED -def test_repo_verification_unknown_for_unknown_repo_verification(maven_tool: BaseBuildTool, macaron_path: Path) -> None: +def test_check_unknown_for_unknown_repo_verification(maven_tool: BaseBuildTool, macaron_path: Path) -> None: """Test that the check returns unknown when the repository verification is unknown.""" - check = RepoVerificationCheck() + check = ScmAuthenticityCheck() ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="", purl="pkg:maven/test/test") maven_registry = MavenCentralRegistry() @@ -71,9 +71,9 @@ def test_repo_verification_unknown_for_unknown_repo_verification(maven_tool: Bas assert check.run_check(ctx).result_type == CheckResultType.UNKNOWN -def test_repo_verification_unknown_for_unsupported_build_tools(pip_tool: BaseBuildTool, macaron_path: Path) -> None: +def test_check_unknown_for_unsupported_build_tools(pip_tool: BaseBuildTool, macaron_path: Path) -> None: """Test that the check returns unknown for unsupported build tools.""" - check = RepoVerificationCheck() + check = ScmAuthenticityCheck() ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="", purl="pkg:pypi/test/test") pypi_registry = PyPIRegistry()