oracle
diff --git a/‎src/macaron/__main__.py
Lines changed: 3 additions & 0 deletions b/‎src/macaron/__main__.py
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/macaron/config/defaults.ini
Lines changed: 6 additions & 0 deletions b/‎src/macaron/config/defaults.ini
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/macaron/slsa_analyzer/analyze_context.py
Lines changed: 5 additions & 1 deletion b/‎src/macaron/slsa_analyzer/analyze_context.py
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/macaron/slsa_analyzer/analyzer.py
Lines changed: 16 additions & 1 deletion b/‎src/macaron/slsa_analyzer/analyzer.py
Lines changed: 16 additions & 1 deletion
diff --git a/‎src/macaron/slsa_analyzer/build_tool/gradle.py
Lines changed: 29 additions & 0 deletions b/‎src/macaron/slsa_analyzer/build_tool/gradle.py
Lines changed: 29 additions & 0 deletions
diff --git a/‎src/macaron/slsa_analyzer/checks/provenance_available_check.py
Lines changed: 61 additions & 1 deletion b/‎src/macaron/slsa_analyzer/checks/provenance_available_check.py
Lines changed: 61 additions & 1 deletion
@@ -22,6 +22,7 @@
 from macaron.policy_engine.policy_engine import run_policy_engine, show_prelude
 from macaron.slsa_analyzer.analyzer import Analyzer
 from macaron.slsa_analyzer.git_service import GIT_SERVICES
+from macaron.slsa_analyzer.package_registry import PACKAGE_REGISTRIES
 
 logger: logging.Logger = logging.getLogger(__name__)
 
@@ -142,6 +143,8 @@ def perform_action(action_args: argparse.Namespace) -> None:
             try:
                 for git_service in GIT_SERVICES:
                     git_service.load_defaults()
+                for package_registry in PACKAGE_REGISTRIES:
+                    package_registry.load_defaults()
             except ConfigurationError as error:
                 logger.error(error)
                 sys.exit(os.EX_USAGE)
 
@@ -337,3 +337,9 @@ provenance_extensions =
 max_download_size = 70000000
 # This is the timeout (in seconds) to run the SLSA verifier.
 timeout = 120
+
+# Package registries.
+# [package_registry.jfrog.maven]
+# In this example, the Maven package registry can be accessed at https://internal.registry.org/maven-repo.
+# repo_url = https://internal.registry.org
+# repo_key = maven-repo
@@ -21,6 +21,7 @@
 from macaron.slsa_analyzer.slsa_req import ReqName, SLSAReq, get_requirements_dict
 from macaron.slsa_analyzer.specs.build_spec import BuildSpec
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo
+from macaron.slsa_analyzer.specs.package_registry_data import PackageRegistryData
 
 logger: logging.Logger = logging.getLogger(__name__)
 
@@ -38,6 +39,8 @@ class ChecksOutputs(TypedDict):
     """True if we cannot find the provenance and Macaron need to infer the provenance."""
     expectation: Expectation | None
     """The expectation to verify the provenance for this repository."""
+    package_registries: list[PackageRegistryData]
+    """The package registries for this repository."""
 
 
 class AnalyzeContext:
@@ -118,6 +121,7 @@ def __init__(
             git_service=NoneGitService(),
             build_spec=BuildSpec(tools=[]),
             ci_services=[],
+            package_registries=[],
             is_inferred_prov=True,
             expectation=None,
         )
@@ -134,7 +138,7 @@ def provenances(self) -> dict:
         """
         try:
             ci_services = self.dynamic_data["ci_services"]
-            result = {}
+            result = {}  # key: ci service's name; values: list of provenances (in Json)
             for ci_info in ci_services:
                 result[ci_info["service"].name] = ci_info["provenances"]
             return result
 
@@ -41,10 +41,12 @@
 from macaron.slsa_analyzer.database_store import store_analysis_to_db, store_analyze_context_to_db
 from macaron.slsa_analyzer.git_service import GIT_SERVICES, BaseGitService
 from macaron.slsa_analyzer.git_service.base_git_service import NoneGitService
+from macaron.slsa_analyzer.package_registry import PACKAGE_REGISTRIES
 from macaron.slsa_analyzer.provenance.expectations.expectation_registry import ExpectationRegistry
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo
 from macaron.slsa_analyzer.specs.inferred_provenance import Provenance
+from macaron.slsa_analyzer.specs.package_registry_data import PackageRegistryData
 
 logger: logging.Logger = logging.getLogger(__name__)
 
@@ -664,7 +666,7 @@ def perform_checks(self, analyze_ctx: AnalyzeContext) -> dict[str, CheckResult]:
             ci_service.load_defaults()
             ci_service.set_api_client()
 
-            if ci_service.is_detected(analyze_ctx.git_obj.path):
+            if ci_service.is_detected(analyze_ctx.git_obj.path, analyze_ctx.dynamic_data["git_service"]):
                 logger.info("The repo uses %s CI service.", ci_service.name)
 
                 # Parse configuration files and generate IRs.
@@ -684,6 +686,19 @@ def perform_checks(self, analyze_ctx: AnalyzeContext) -> dict[str, CheckResult]:
                     )
                 )
 
+        # Determine the package registries.
+        # We match the repo against package registries through build tools.
+        build_tools = analyze_ctx.dynamic_data["build_spec"]["tools"]
+        for package_registry in PACKAGE_REGISTRIES:
+            for build_tool in build_tools:
+                if package_registry.is_detected(build_tool):
+                    analyze_ctx.dynamic_data["package_registries"].append(
+                        PackageRegistryData(
+                            build_tool=build_tool,
+                            package_registry=package_registry,
+                        )
+                    )
+
         # TODO: Get the list of skipped checks from user configuration
         skipped_checks: list[SkippedInfo] = []
 
 
@@ -8,6 +8,7 @@
 
 import logging
 import os
+import subprocess  # nosec B404
 
 from macaron.config.defaults import defaults
 from macaron.config.global_config import global_config
@@ -135,3 +136,31 @@ def get_dep_analyzer(self, repo_path: str) -> CycloneDxGradle:
             )
 
         raise DependencyAnalyzerError(f"Unsupported SBOM generator for Gradle: {tool_name}.")
+
+    def get_group_id(self, project_path: str) -> str | None:
+        """Get the group id of a Java repository.
+
+        Parameters
+        ----------
+        project_path : str
+            Path to the repository.
+        """
+        try:
+            result = subprocess.run(  # nosec B603
+                ["./gradlew", "properties"],
+                capture_output=True,
+                cwd=project_path,
+                check=False,
+            )
+        except (subprocess.CalledProcessError, OSError) as error:
+            logger.info("Could not capture the group id of the repo at %s", project_path)
+            logger.debug("Error: %s", error)
+            return None
+
+        lines = result.stdout.decode().split("\n")
+        for line in lines:
+            if line.startswith("group: "):
+                return line.replace("group: ", "")
+
+        logger.debug("Could not capture the group id of the repo at %s", project_path)
+        return None
@@ -13,11 +13,14 @@
 from macaron.database.database_manager import ORMBase
 from macaron.database.table_definitions import CheckFactsTable
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
+from macaron.slsa_analyzer.build_tool.gradle import Gradle
 from macaron.slsa_analyzer.checks.base_check import BaseCheck
 from macaron.slsa_analyzer.checks.check_result import CheckResult, CheckResultType
 from macaron.slsa_analyzer.ci_service.base_ci_service import NoneCIService
+from macaron.slsa_analyzer.package_registry import JFrogMavenRegistry
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.slsa_req import ReqName
+from macaron.slsa_analyzer.specs.package_registry_data import PackageRegistryData
 
 logger: logging.Logger = logging.getLogger(__name__)
 
@@ -82,6 +85,63 @@ def run_check(self, ctx: AnalyzeContext, check_result: CheckResult) -> CheckResu
         CheckResultType
             The result type of the check (e.g. PASSED).
         """
+        provenance_extensions = defaults.get_list(
+            "slsa.verifier",
+            "provenance_extensions",
+            fallback=["intoto.jsonl"],
+        )
+
+        # We look for the provenances in the package registries first, then CI services.
+        package_registry_data_entries = ctx.dynamic_data["package_registries"]
+
+        for package_registry_data_entry in package_registry_data_entries:
+            match package_registry_data_entry:
+                case PackageRegistryData(
+                    build_tool=Gradle() as gradle,
+                    package_registry=JFrogMavenRegistry() as jfrog_registry,
+                ):
+                    group_id = gradle.get_group_id(ctx.repo_path)
+                    if not group_id:
+                        continue
+
+                    artifact_ids = jfrog_registry.get_artifact_ids(group_id)
+
+                    provenance_assets = []
+
+                    for artifact_id in artifact_ids:
+                        latest_version = jfrog_registry.get_latest_version(group_id, artifact_id)
+                        if not latest_version:
+                            continue
+
+                        provenance_filenames = jfrog_registry.retrieve_provenance_filenames(
+                            group_id,
+                            artifact_id,
+                            latest_version,
+                            provenance_extensions,
+                        )
+
+                        for provenance_filename in provenance_filenames:
+                            provenance_assets.append(
+                                {
+                                    "asset_name": provenance_filename,
+                                    "asset_url": jfrog_registry.get_asset_url(
+                                        group_id,
+                                        artifact_id,
+                                        latest_version,
+                                        provenance_filename,
+                                    ),
+                                }
+                            )
+
+                    package_registry_data_entry.provenance_assets.extend(provenance_assets)
+                    check_result["justification"].append("Found provenance in release assets:")
+                    check_result["justification"].extend([prov["asset_name"] for prov in provenance_assets])
+                    check_result["result_tables"] = [ProvenanceAvailableTable(**prov) for prov in provenance_assets]
+
+                    return CheckResultType.PASSED
+                case _:
+                    continue
+
         ci_services = ctx.dynamic_data["ci_services"]
         for ci_info in ci_services:
             ci_service = ci_info["service"]
@@ -95,7 +155,7 @@ def run_check(self, ctx: AnalyzeContext, check_result: CheckResult) -> CheckResu
                 ci_info["latest_release"] = release
 
                 # Get the provenance assets.
-                for prov_ext in defaults.get_list("slsa.verifier", "provenance_extensions"):
+                for prov_ext in provenance_extensions:
                     assets = ci_service.api_client.get_assets(release, ext=prov_ext)
                     if not assets:
                         continue