fix: accept from-provenance repos as scm authentic (#1131)

Signed-off-by: Ben Selwyn-Smith <[email protected]>

Author: benmss

docs/source/index.rst

@@ -90,7 +90,7 @@ the requirements that are currently supported by Macaron.
      - If there is no commit, this check will fail.
    * - ``mcn_scm_authenticity_check_1``
      - **Source repo authenticity** - Check whether the claims of a source code repository made by a package can be corroborated.
-     - If the source code repository contains conflicting evidence regarding its claim of the source code repository, this check will fail. If no source code repository or corroborating evidence is found, or if the build system is unsupported, the check will return ``UNKNOWN`` as the result. This check currently supports only Maven artifacts.
+     - If the source code repository contains conflicting evidence regarding its claim of the source code repository, this check will fail. If no source code repository or corroborating evidence is found, or if the build system is unsupported, the check will return ``UNKNOWN`` as the result. This check supports Maven artifacts, and other artifacts that have a repository that is confirmed to be from a provenance file.
    * - ``mcn_detect_malicious_metadata_1``
      - **Malicious code detection** - Check whether the source code or package metadata has indicators of compromise.
      - This check performs analysis on PyPI package metadata to detect malicious behavior. It also reports known malware from other ecosystems.

src/macaron/repo_verifier/repo_verifier.py

@@ -1,13 +1,13 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains code to verify whether a reported repository can be linked back to the artifact."""
 import logging
 
 from macaron.repo_verifier.repo_verifier_base import (
     RepositoryVerificationResult,
-    RepositoryVerificationStatus,
-    RepoVerifierBase,
+    RepoVerifierFromProvenance,
+    RepoVerifierToolSpecific,
 )
 from macaron.repo_verifier.repo_verifier_gradle import RepoVerifierGradle
 from macaron.repo_verifier.repo_verifier_maven import RepoVerifierMaven
@@ -22,6 +22,7 @@ def verify_repo(
     version: str,
     reported_repo_url: str,
     reported_repo_fs: str,
+    provenance_repo_url: str | None,
     build_tool: BaseBuildTool,
 ) -> RepositoryVerificationResult:
     """Verify whether the repository links back to the artifact.
@@ -38,6 +39,8 @@ def verify_repo(
         The reported repository URL.
     reported_repo_fs : str
         The reported repository filesystem path.
+    provenance_repo_url : str | None
+            The URL of the repository from a provenance file, or None if it, or the provenance, is not present.
     build_tool : BaseBuildTool
         The build tool used to build the package.
 
@@ -47,7 +50,7 @@ def verify_repo(
         The result of the repository verification
     """
     # TODO: Add support for other build tools.
-    verifier_map: dict[type[BaseBuildTool], type[RepoVerifierBase]] = {
+    verifier_map: dict[type[BaseBuildTool], type[RepoVerifierToolSpecific]] = {
         Maven: RepoVerifierMaven,
         Gradle: RepoVerifierGradle,
         # Poetry(): RepoVerifierPoetry,
@@ -60,16 +63,27 @@ def verify_repo(
 
     verifier_cls = verifier_map.get(type(build_tool))
     if not verifier_cls:
-        return RepositoryVerificationResult(
-            status=RepositoryVerificationStatus.UNKNOWN, reason="unsupported_type", build_tool=build_tool
+        # For unsupported types fallback to the default implementation that can verify based on the from-provenance
+        # repository URL.
+        verifier = RepoVerifierFromProvenance(
+            namespace=namespace,
+            name=name,
+            version=version,
+            reported_repo_url=reported_repo_url,
+            reported_repo_fs=reported_repo_fs,
+            provenance_repo_url=provenance_repo_url,
+            build_tool=build_tool,
+        )
+    else:
+        # Otherwise, use the correct repo verifier.
+        verifier = verifier_cls(
+            namespace=namespace,
+            name=name,
+            version=version,
+            reported_repo_url=reported_repo_url,
+            reported_repo_fs=reported_repo_fs,
+            provenance_repo_url=provenance_repo_url,
         )
 
-    verifier = verifier_cls(
-        namespace=namespace,
-        name=name,
-        version=version,
-        reported_repo_url=reported_repo_url,
-        reported_repo_fs=reported_repo_fs,
-    )
-
+    # Perform verification.
     return verifier.verify_repo()

src/macaron/repo_verifier/repo_verifier_base.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the base class and core data models for repository verification."""
@@ -94,10 +94,21 @@ class RepositoryVerificationResult:
 class RepoVerifierBase(abc.ABC):
     """The base class to verify whether a reported repository links back to the artifact."""
 
-    @property
     @abc.abstractmethod
-    def build_tool(self) -> BaseBuildTool:
-        """Define the build tool used to build the package."""
+    def verify_repo(self) -> RepositoryVerificationResult:
+        """Verify whether the repository links back to the artifact.
+
+        Returns
+        -------
+        RepositoryVerificationResult
+            The result of the repository verification
+        """
+
+
+class RepoVerifierFromProvenance(RepoVerifierBase):
+    """An implementation of the base verifier that verifies a repository if the URL comes from provenance."""
+
+    DEFAULT_REASON = "from_provenance"
 
     def __init__(
         self,
@@ -106,6 +117,8 @@ def __init__(
         version: str,
         reported_repo_url: str,
         reported_repo_fs: str,
+        provenance_repo_url: str | None,
+        build_tool: BaseBuildTool,
     ):
         """Instantiate the class.
 
@@ -121,19 +134,82 @@ def __init__(
             The URL of the repository reported by the publisher.
         reported_repo_fs : str
             The file system path of the reported repository.
+        provenance_repo_url : str | None
+            The URL of the repository from a provenance file, or None if it, or the provenance, is not present.
+        build_tool : BaseBuildTool
+            The build tool used to build the package.
         """
         self.namespace = namespace
         self.name = name
         self.version = version
         self.reported_repo_url = reported_repo_url
         self.reported_repo_fs = reported_repo_fs
+        self.provenance_repo_url = provenance_repo_url
+        self.build_tool = build_tool
 
-    @abc.abstractmethod
     def verify_repo(self) -> RepositoryVerificationResult:
-        """Verify whether the repository links back to the artifact.
+        """Verify whether the repository links back to the artifact from the provenance URL."""
+        if self.provenance_repo_url:
+            return RepositoryVerificationResult(
+                status=RepositoryVerificationStatus.PASSED,
+                reason=RepoVerifierFromProvenance.DEFAULT_REASON,
+                build_tool=self.build_tool,
+            )
 
-        Returns
-        -------
-        RepositoryVerificationResult
-            The result of the repository verification
+        return RepositoryVerificationResult(
+            status=RepositoryVerificationStatus.UNKNOWN, reason="unsupported_type", build_tool=self.build_tool
+        )
+
+
+class RepoVerifierToolSpecific(RepoVerifierFromProvenance, abc.ABC):
+    """An abstract subclass of the repo verifier that provides and calls a per-tool verification function.
+
+    From-provenance verification is inherited from the parent class.
+    """
+
+    @property
+    @abc.abstractmethod
+    def specific_tool(self) -> BaseBuildTool:
+        """Define the build tool used to build the package."""
+
+    def __init__(
+        self,
+        namespace: str | None,
+        name: str,
+        version: str,
+        reported_repo_url: str,
+        reported_repo_fs: str,
+        provenance_repo_url: str | None,
+    ):
+        """Instantiate the class.
+
+        Parameters
+        ----------
+        namespace : str
+            The namespace of the artifact.
+        name : str
+            The name of the artifact.
+        version : str
+            The version of the artifact.
+        reported_repo_url : str
+            The URL of the repository reported by the publisher.
+        reported_repo_fs : str
+            The file system path of the reported repository.
+        provenance_repo_url : str | None
+            The URL of the repository from a provenance file, or None if it, or the provenance, is not present.
         """
+        super().__init__(
+            namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url, self.specific_tool
+        )
+
+    def verify_repo(self) -> RepositoryVerificationResult:
+        """Verify the repository as per the base class method."""
+        result = super().verify_repo()
+        if result.status == RepositoryVerificationStatus.PASSED:
+            return result
+
+        return self.verify_by_tool()
+
+    @abc.abstractmethod
+    def verify_by_tool(self) -> RepositoryVerificationResult:
+        """Verify the repository using build tool specific methods."""

src/macaron/repo_verifier/repo_verifier_gradle.py

@@ -1,15 +1,15 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
-"""This module contains code to verify whether a repository with Gradle build system can be linked back to the artifact."""
+"""This module contains code to verify whether a Gradle-based repository can be linked back to the artifact."""
 import logging
 from pathlib import Path
 
 from macaron.artifact.maven import is_valid_maven_group_id
 from macaron.repo_verifier.repo_verifier_base import (
     RepositoryVerificationResult,
     RepositoryVerificationStatus,
-    RepoVerifierBase,
+    RepoVerifierToolSpecific,
     find_file_in_repo,
 )
 from macaron.repo_verifier.repo_verifier_maven import RepoVerifierMaven
@@ -19,10 +19,10 @@
 logger = logging.getLogger(__name__)
 
 
-class RepoVerifierGradle(RepoVerifierBase):
+class RepoVerifierGradle(RepoVerifierToolSpecific):
     """A class to verify whether a repository with Gradle build tool links back to the artifact."""
 
-    build_tool = Gradle()
+    specific_tool = Gradle()
 
     def __init__(
         self,
@@ -31,6 +31,7 @@ def __init__(
         version: str,
         reported_repo_url: str,
         reported_repo_fs: str,
+        provenance_repo_url: str | None,
     ):
         """Initialize a RepoVerifierGradle instance.
 
@@ -46,18 +47,21 @@ def __init__(
             The URL of the repository reported by the publisher.
         reported_repo_fs : str
             The file system path of the reported repository.
+        provenance_repo_url : str | None
+            The URL of the repository from a provenance file, or None if it, or the provenance, is not present.
         """
-        super().__init__(namespace, name, version, reported_repo_url, reported_repo_fs)
+        super().__init__(namespace, name, version, reported_repo_url, reported_repo_fs, provenance_repo_url)
 
         self.maven_verifier = RepoVerifierMaven(
             namespace=namespace,
             name=name,
             version=version,
             reported_repo_url=reported_repo_url,
             reported_repo_fs=reported_repo_fs,
+            provenance_repo_url=provenance_repo_url,
         )
 
-    def verify_repo(self) -> RepositoryVerificationResult:
+    def verify_by_tool(self) -> RepositoryVerificationResult:
         """Verify whether the reported repository links back to the artifact.
 
         Returns

src/macaron/repo_verifier/repo_verifier_maven.py

@@ -1,7 +1,7 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
-"""This module contains code to verify whether a reported repository with Maven build system can be linked back to the artifact."""
+"""This module contains code to verify whether a reported Maven-based repository can be linked back to the artifact."""
 import logging
 from pathlib import Path
 from urllib.parse import urlparse
@@ -10,7 +10,7 @@
 from macaron.repo_verifier.repo_verifier_base import (
     RepositoryVerificationResult,
     RepositoryVerificationStatus,
-    RepoVerifierBase,
+    RepoVerifierToolSpecific,
     find_file_in_repo,
 )
 from macaron.slsa_analyzer.build_tool import Maven
@@ -22,12 +22,12 @@
 logger = logging.getLogger(__name__)
 
 
-class RepoVerifierMaven(RepoVerifierBase):
+class RepoVerifierMaven(RepoVerifierToolSpecific):
     """A class to verify whether a repository with Maven build tool links back to the artifact."""
 
-    build_tool = Maven()
+    specific_tool = Maven()
 
-    def verify_repo(self) -> RepositoryVerificationResult:
+    def verify_by_tool(self) -> RepositoryVerificationResult:
         """Verify whether the reported repository links back to the Maven artifact.
 
         Returns

src/macaron/slsa_analyzer/analyzer.py

@@ -514,8 +514,6 @@ def run_single(
             if artifact_hash:
                 provenance_payload = self.get_github_attestation_payload(analyze_ctx, git_service, artifact_hash)
 
-        if parsed_purl is not None:
-            self._verify_repository_link(parsed_purl, analyze_ctx)
         self._determine_package_registries(analyze_ctx, package_registries_info)
 
         provenance_l3_verified = False
@@ -576,6 +574,9 @@ def run_single(
                 # TODO Add release digest.
             )
 
+        if parsed_purl is not None:
+            self._verify_repository_link(parsed_purl, analyze_ctx)
+
         analyze_ctx.dynamic_data["force_analyze_source"] = force_analyze_source
 
         if local_artifact_dirs:
@@ -1232,7 +1233,7 @@ def _verify_repository_link(self, parsed_purl: PackageURL, analyze_ctx: AnalyzeC
             logger.debug("The repository is not available. Skipping the repository verification.")
             return
 
-        if parsed_purl.namespace is None or parsed_purl.version is None:
+        if parsed_purl.version is None:
             logger.debug("The PURL is not complete. Skipping the repository verification.")
             return
 
@@ -1242,13 +1243,18 @@ def _verify_repository_link(self, parsed_purl: PackageURL, analyze_ctx: AnalyzeC
 
         analyze_ctx.dynamic_data["repo_verification"] = []
 
+        provenance_repo_url = None
+        if provenance_info := analyze_ctx.dynamic_data["provenance_info"]:
+            provenance_repo_url = provenance_info.repository_url
+
         for build_tool in build_tools:
             verification_result = verify_repo(
                 namespace=parsed_purl.namespace,
                 name=parsed_purl.name,
                 version=parsed_purl.version,
                 reported_repo_url=analyze_ctx.component.repository.remote_path,
                 reported_repo_fs=analyze_ctx.component.repository.fs_path,
+                provenance_repo_url=provenance_repo_url,
                 build_tool=build_tool,
             )
             analyze_ctx.dynamic_data["repo_verification"].append(verification_result)