feat: add checks to detect pip and poetry projects

Signed-off-by: sophie-bates <[email protected]>

Author: sophie-bates

src/macaron/config/defaults.ini

@@ -211,6 +211,19 @@ jenkins =
     gradle-git-publish
     gitPublishPush
 
+# This is the spec for trusted Pip packaging tools.
+[builder.pip]
+entry_conf =
+    setup.py
+    setup.cfg
+    pyproject.toml
+build_configs =
+
+# This is the spec for trusted Poetry packaging tools.
+[builder.poetry]
+entry_conf = pyproject.toml
+build_configs = poetry.lock
+
 # This is the spec for GitHub Actions CI.
 [ci.github_actions]
 entry_conf =

src/macaron/slsa_analyzer/build_tool/__init__.py

@@ -1,12 +1,14 @@
-# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """The build_tool package contains the supported build tools for Macaron."""
 
 from .base_build_tool import BaseBuildTool
 from .gradle import Gradle
 from .maven import Maven
+from .pip import Pip
+from .poetry import Poetry
 
 # The list of supported build tools. The order of the list determine the order
 # in which each build tool is checked against the target repository.
-BUILD_TOOLS: list[BaseBuildTool] = [Gradle(), Maven()]
+BUILD_TOOLS: list[BaseBuildTool] = [Gradle(), Maven(), Poetry(), Pip()]

src/macaron/slsa_analyzer/build_tool/base_build_tool.py

@@ -15,6 +15,29 @@
 logger: logging.Logger = logging.getLogger(__name__)
 
 
+def find_files(path: str, file_name: str) -> list:
+    """Return a list of file paths that contain a certain file.
+
+    This method searches in the directory recursively.
+
+    Parameters
+    ----------
+    path : str
+        The path to search for the file.
+    file_name : str
+        The name of the file to search.
+
+    Returns
+    -------
+    list:
+        The result list of strings or empty if the file doesn't exist anywhere lower than the path.
+    """
+    pattern = os.path.join(path, "**", file_name)
+    files_detected = glob.glob(pattern, recursive=True)
+
+    return files_detected
+
+
 def file_exists(path: str, file_name: str) -> bool:
     """Return True if a file exists in a directory.
 

src/macaron/slsa_analyzer/build_tool/pip.py

@@ -0,0 +1,82 @@
+# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""This module contains the Pip class which inherits BaseBuildTool.
+
+This module is used to work with repositories that use Poetry for dependency management.
+"""
+
+import logging
+
+from macaron.config.defaults import defaults
+from macaron.dependency_analyzer import DependencyAnalyzer, NoneDependencyAnalyzer
+from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool, file_exists
+
+logger: logging.Logger = logging.getLogger(__name__)
+
+
+class Pip(BaseBuildTool):
+    """This class contains the information of the pip build tool."""
+
+    def __init__(self) -> None:
+        """Initialize instance."""
+        super().__init__(name="pip")
+
+    def load_defaults(self) -> None:
+        """Load the default values from defaults.ini."""
+        if "builder.pip" in defaults:
+            for item in defaults["builder.pip"]:
+                if hasattr(self, item):
+                    setattr(self, item, defaults.get_list("builder.pip", item))
+
+    def is_detected(self, repo_path: str) -> bool:
+        """Return True if this build tool is used in the target repo.
+
+        Parameters
+        ----------
+        repo_path : str
+            The path to the target repo.
+
+        Returns
+        -------
+        bool
+            True if this build tool is detected, else False.
+        """
+        for file in self.entry_conf:
+            if file_exists(repo_path, file):
+                return True
+        return False
+
+    def prepare_config_files(self, wrapper_path: str, build_dir: str) -> bool:
+        """Prepare the necessary wrapper files for running the build.
+
+        This method will return False if there is any errors happened during operation.
+
+        Parameters
+        ----------
+        wrapper_path : str
+            The path where all necessary wrapper files are located.
+        build_dir : str
+            The path of the build dir. This is where all files are copied to.
+
+        Returns
+        -------
+        bool
+            True if succeed else False.
+        """
+        return True
+
+    def get_dep_analyzer(self, repo_path: str) -> DependencyAnalyzer:
+        """Create a DependencyAnalyzer for the build tool.
+
+        Parameters
+        ----------
+        repo_path: str
+            The path to the target repo.
+
+        Returns
+        -------
+        DependencyAnalyzer
+            The DependencyAnalyzer object.
+        """
+        return NoneDependencyAnalyzer()

src/macaron/slsa_analyzer/build_tool/poetry.py

@@ -0,0 +1,103 @@
+# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""This module contains the Poetry class which inherits BaseBuildTool.
+
+This module is used to work with repositories that use Poetry for dependency management.
+"""
+
+import logging
+import tomllib
+
+from macaron.config.defaults import defaults
+from macaron.dependency_analyzer import DependencyAnalyzer, NoneDependencyAnalyzer
+from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool, file_exists, find_files
+
+logger: logging.Logger = logging.getLogger(__name__)
+
+
+class Poetry(BaseBuildTool):
+    """This class contains the information of the poetry build tool."""
+
+    def __init__(self) -> None:
+        """Initialize instance."""
+        super().__init__(name="poetry")
+
+    def load_defaults(self) -> None:
+        """Load the default values from defaults.ini."""
+        if "builder.poetry" in defaults:
+            for item in defaults["builder.poetry"]:
+                if hasattr(self, item):
+                    setattr(self, item, defaults.get_list("builder.poetry", item))
+
+    def is_detected(self, repo_path: str) -> bool:
+        """Return True if this build tool is used in the target repo.
+
+        Parameters
+        ----------
+        repo_path : str
+            The path to the target repo.
+
+        Returns
+        -------
+        bool
+            True if this build tool is detected, else False.
+        """
+        for file in self.build_configs:
+            if file_exists(repo_path, file):
+                return True
+
+        for conf in self.entry_conf:
+            # Find the paths of all pyproject.toml files.
+            files_detected = find_files(repo_path, conf)
+
+            if files_detected:
+                try:
+                    # Take the highest level file (shortest file path)
+                    file_path = min(files_detected, key=len)
+
+                    # Parse the .toml file
+                    with open(file_path, "rb") as toml_file:
+                        data = tomllib.load(toml_file)
+                        if ("tool" in data) and ("poetry" in data["tool"]):
+                            return True
+                    return False
+                except FileNotFoundError:
+                    logger.error("Failed to read the %s file.", conf)
+                    return False
+
+        return False
+
+    def prepare_config_files(self, wrapper_path: str, build_dir: str) -> bool:
+        """Prepare the necessary wrapper files for running the build.
+
+        This method will return False if there is any errors happened during operation.
+
+        Parameters
+        ----------
+        wrapper_path : str
+            The path where all necessary wrapper files are located.
+        build_dir : str
+            The path of the build dir. This is where all files are copied to.
+
+        Returns
+        -------
+        bool
+            True if succeed else False.
+        """
+        return False
+
+    def get_dep_analyzer(self, repo_path: str) -> DependencyAnalyzer:
+        """Create a DependencyAnalyzer for the build tool.
+
+        Parameters
+        ----------
+        repo_path: str
+            The path to the target repo.
+
+        Returns
+        -------
+        DependencyAnalyzer
+            The DependencyAnalyzer object.
+        """
+        return NoneDependencyAnalyzer()