diff --git a/src/macaron/provenance/provenance_verifier.py b/src/macaron/provenance/provenance_verifier.py index 7cb6776a2..43ed2a348 100644 --- a/src/macaron/provenance/provenance_verifier.py +++ b/src/macaron/provenance/provenance_verifier.py @@ -16,7 +16,7 @@ from macaron.config.defaults import defaults from macaron.config.global_config import global_config -from macaron.json_tools import json_extract +from macaron.provenance.provenance_extractor import ProvenancePredicate from macaron.repo_finder.commit_finder import AbstractPurlType, determine_abstract_purl_type from macaron.slsa_analyzer.analyze_context import AnalyzeContext from macaron.slsa_analyzer.asset import AssetLocator @@ -378,6 +378,9 @@ def determine_provenance_slsa_level( int The SLSA level. """ + infer = ctx.dynamic_data["is_inferred_prov"] + logger.info("%s, %s, %s, %s", infer, verified, verified_l3, provenance_payload is not None) + if not provenance_payload or ctx.dynamic_data["is_inferred_prov"]: # 0. Provenance is not available. return 0 @@ -385,9 +388,9 @@ def determine_provenance_slsa_level( predicate = provenance_payload.statement.get("predicate") build_type = None if predicate: - build_type = json_extract(predicate, ["buildDefinition", "buildType"], str) - if not build_type: - build_type = json_extract(predicate, ["buildType"], str) + build_type = ProvenancePredicate.get_build_type(provenance_payload.statement) + + logger.info("%s", build_type) if build_type == "https://github.com/slsa-framework/slsa-github-generator/generic@v1" and verified_l3: # 3. Provenance is created by the SLSA GitHub generator and verified. diff --git a/src/macaron/slsa_analyzer/checks/provenance_l3_check.py b/src/macaron/slsa_analyzer/checks/provenance_l3_check.py index ee22aff3f..a60ec301a 100644 --- a/src/macaron/slsa_analyzer/checks/provenance_l3_check.py +++ b/src/macaron/slsa_analyzer/checks/provenance_l3_check.py @@ -2,6 +2,7 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. """This module implements a check to verify a target repo has intoto provenance level 3.""" +import logging from sqlalchemy import ForeignKey from sqlalchemy.orm import Mapped, mapped_column @@ -13,6 +14,8 @@ from macaron.slsa_analyzer.registry import registry from macaron.slsa_analyzer.slsa_req import ReqName +logger: logging.Logger = logging.getLogger(__name__) + class ProvenanceL3VerifiedFacts(CheckFacts): """The ORM mapping for justifications in provenance_l3 check.""" @@ -68,7 +71,14 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData: """ result_tables: list[CheckFacts] = [] result_value = CheckResultType.FAILED - if ctx.dynamic_data["provenance_info"] and ctx.dynamic_data["provenance_info"].slsa_level == 3: + prov = ctx.dynamic_data["provenance_info"] or None + slsa = 0 + if prov: + slsa = prov.slsa_level + + logger.info("%s", slsa) + + if prov and slsa == 3: result_tables.append(ProvenanceL3VerifiedFacts(confidence=Confidence.HIGH)) result_value = CheckResultType.PASSED diff --git a/src/macaron/slsa_analyzer/checks/provenance_verified_check.py b/src/macaron/slsa_analyzer/checks/provenance_verified_check.py index 2d1ce7069..b71642f92 100644 --- a/src/macaron/slsa_analyzer/checks/provenance_verified_check.py +++ b/src/macaron/slsa_analyzer/checks/provenance_verified_check.py @@ -69,6 +69,10 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData: """ build_type = None provenance_info = ctx.dynamic_data["provenance_info"] + logger.info("%s", provenance_info is not None) + if provenance_info: + logger.info("%s", provenance_info.provenance_payload is not None) + if provenance_info and provenance_info.provenance_payload: build_type = ProvenancePredicate.get_build_type(provenance_info.provenance_payload.statement) @@ -76,6 +80,9 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData: if provenance_info: slsa_level = provenance_info.slsa_level + logger.info("%s", slsa_level) + logger.info("%s", build_type) + return CheckResultData( result_tables=[ ProvenanceVerifiedFacts(