chore: match a witness provenance subject against a maven artifact purl

Signed-off-by: Nathan Nguyen <[email protected]>

Author: nathanwn

src/macaron/artifact/maven.py

@@ -10,6 +10,15 @@
 
 from packageurl import PackageURL
 
+from macaron.slsa_analyzer.provenance.intoto import InTotoPayload
+from macaron.slsa_analyzer.provenance.intoto.v01 import InTotoV01Subject
+from macaron.slsa_analyzer.provenance.intoto.v1 import InTotoV1ResourceDescriptor
+from macaron.slsa_analyzer.provenance.witness import (
+    extract_build_artifacts_from_witness_subjects,
+    is_witness_provenance_payload,
+    load_witness_verifier_config,
+)
+
 
 class _MavenArtifactType(NamedTuple):
     filename_pattern: str
@@ -143,3 +152,52 @@ def from_artifact_name(
                 artifact_type=maven_artifact_type,
             )
         return None
+
+
+class MavenSubjectPURLMatcher:
+    """A matcher matching a PURL identifying a Maven artifact to a provenance subject."""
+
+    @staticmethod
+    def get_subject_in_provenance_matching_purl(
+        provenance_payload: InTotoPayload, purl: PackageURL
+    ) -> InTotoV01Subject | InTotoV1ResourceDescriptor | None:
+        """Get the subject in the provenance matching the PURL.
+
+        In this case where the provenance is assumed to be built from a Java project,
+        the subject must be a Maven artifact.
+
+        Parameters
+        ----------
+        provenance_payload : InTotoPayload
+            The provenance payload.
+        purl : PackageURL
+            The PackageURL identifying the matching subject.
+
+        Returns
+        -------
+        InTotoV01Subject | InTotoV1ResourceDescriptor | None
+            The subject in the provenance matching the given PURL.
+        """
+        if (maven_artifact := MavenArtifact.from_package_url(purl)) and is_witness_provenance_payload(
+            payload=provenance_payload,
+            predicate_types=load_witness_verifier_config().predicate_types,
+        ):
+            artifact_subjects = extract_build_artifacts_from_witness_subjects(provenance_payload)
+
+            maven_artifact_subject_pairs = []
+            for subject in artifact_subjects:
+                _, _, artifact_name = subject["name"].rpartition("/")
+                artifact = MavenArtifact.from_artifact_name(
+                    artifact_name=artifact_name,
+                    group_id=maven_artifact.group_id,
+                    version=maven_artifact.version,
+                )
+                if artifact is None:
+                    continue
+                maven_artifact_subject_pairs.append((artifact, subject))
+
+            for artifact, subject in maven_artifact_subject_pairs:
+                if artifact.package_url == purl:
+                    return subject
+
+        return None

src/macaron/database/table_definitions.py

@@ -15,7 +15,7 @@
 import string
 from datetime import datetime
 from pathlib import Path
-from typing import Any
+from typing import Any, Self
 
 from packageurl import PackageURL
 from sqlalchemy import (
@@ -32,9 +32,11 @@
 )
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
+from macaron.artifact.maven import MavenSubjectPURLMatcher
 from macaron.database.database_manager import ORMBase
 from macaron.database.rfc3339_datetime import RFC3339DateTime
 from macaron.errors import InvalidPURLError
+from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, ProvenanceSubjectPURLMatcher
 from macaron.slsa_analyzer.slsa_req import ReqName
 
 logger: logging.Logger = logging.getLogger(__name__)
@@ -563,3 +565,43 @@ class ProvenanceSubject(ORMBase):
 
     #: The SHA256 hash of the subject.
     sha256: Mapped[str] = mapped_column(String, nullable=False)
+
+    @classmethod
+    def from_purl_and_provenance(
+        cls,
+        purl: PackageURL,
+        provenance_payload: InTotoPayload,
+    ) -> Self | None:
+        """Create a ``ProvenanceSubject`` entry if there is a provenance subject matching the PURL.
+
+        Parameters
+        ----------
+        purl : PackageURL
+            The PackageURL identifying the software component being analyzed.
+        provenance_payload : InTotoPayload
+            The provenance payload.
+
+        Returns
+        -------
+        Self | None
+            A ``ProvenanceSubject`` entry with the SHA256 digest of the provenance subject
+            matching the given PURL.
+        """
+        subject_artifact_types: list[ProvenanceSubjectPURLMatcher] = [MavenSubjectPURLMatcher]
+
+        for subject_artifact_type in subject_artifact_types:
+            subject = subject_artifact_type.get_subject_in_provenance_matching_purl(
+                provenance_payload,
+                purl,
+            )
+            if subject is None:
+                return None
+            digest = subject["digest"]
+            if digest is None:
+                return None
+            sha256 = digest.get("sha256")
+            if not sha256:
+                return None
+            return cls(sha256=sha256)
+
+        return None

src/macaron/slsa_analyzer/analyzer.py

@@ -19,7 +19,7 @@
 from macaron.config.global_config import global_config
 from macaron.config.target_config import Configuration
 from macaron.database.database_manager import DatabaseManager, get_db_manager, get_db_session
-from macaron.database.table_definitions import Analysis, Component, Repository
+from macaron.database.table_definitions import Analysis, Component, ProvenanceSubject, Repository
 from macaron.dependency_analyzer import DependencyAnalyzer, DependencyInfo
 from macaron.errors import (
     CloneError,
@@ -332,7 +332,12 @@ def run_single(
         # Create the component.
         component = None
         try:
-            component = self.add_component(analysis, analysis_target, existing_records)
+            component = self.add_component(
+                analysis,
+                analysis_target,
+                existing_records,
+                provenance_payload,
+            )
         except PURLNotFoundError as error:
             logger.error(error)
             return Record(
@@ -484,6 +489,7 @@ def add_component(
         analysis: Analysis,
         analysis_target: AnalysisTarget,
         existing_records: dict[str, Record] | None = None,
+        provenance_payload: InTotoPayload | None = None,
     ) -> Component:
         """Add a software component if it does not exist in the DB already.
 
@@ -547,18 +553,30 @@ def add_component(
                 raise PURLNotFoundError(
                     f"The repository {analysis_target.repo_path} is not available and no PURL is provided from the user."
                 )
-
-            repo_snapshot_purl = PackageURL(
+            purl = PackageURL(
                 type=repository.type,
                 namespace=repository.owner,
                 name=repository.name,
                 version=repository.commit_sha,
             )
-            return Component(purl=str(repo_snapshot_purl), analysis=analysis, repository=repository)
+        else:
+            # If the PURL is available, we always create the software component with it whether the repository is
+            # available or not.
+            purl = analysis_target.parsed_purl
+
+        component = Component(
+            purl=str(purl),
+            analysis=analysis,
+            repository=repository,
+        )
+
+        if provenance_payload:
+            component.provenance_subject = ProvenanceSubject.from_purl_and_provenance(
+                purl=purl,
+                provenance_payload=provenance_payload,
+            )
 
-        # If the PURL is available, we always create the software component with it whether the repository is
-        # available or not.
-        return Component(purl=str(analysis_target.parsed_purl), analysis=analysis, repository=repository)
+        return component
 
     @staticmethod
     def parse_purl(config: Configuration) -> PackageURL | None:

src/macaron/slsa_analyzer/provenance/intoto/__init__.py

@@ -6,10 +6,14 @@
 from __future__ import annotations
 
 from collections.abc import Mapping
-from typing import NamedTuple, TypeVar
+from typing import NamedTuple, Protocol, TypeVar
+
+from packageurl import PackageURL
 
 from macaron.slsa_analyzer.provenance.intoto import v01, v1
 from macaron.slsa_analyzer.provenance.intoto.errors import ValidateInTotoPayloadError
+from macaron.slsa_analyzer.provenance.intoto.v01 import InTotoV01Subject
+from macaron.slsa_analyzer.provenance.intoto.v1 import InTotoV1ResourceDescriptor
 from macaron.util import JsonType
 
 # Type of an in-toto statement.
@@ -119,3 +123,31 @@ def validate_intoto_payload(payload: dict[str, JsonType]) -> InTotoPayload:
             raise error
 
     raise ValidateInTotoPayloadError("Invalid value for the attribute '_type' of the provenance payload.")
+
+
+class ProvenanceSubjectPURLMatcher(Protocol):
+    """Interface for a matcher that matches a PURL to a subject in the provenance."""
+
+    @staticmethod
+    def get_subject_in_provenance_matching_purl(
+        provenance_payload: InTotoPayload,
+        purl: PackageURL,
+    ) -> InTotoV01Subject | InTotoV1ResourceDescriptor | None:
+        """Obtain the subject in the provenance payload matching the given PackageURL.
+
+        This function assumes there is only one such subject. If there are multiple
+        such subjects, the first matching subject is returned. However, this should not
+        happen since the PackageURL should be specific enough to identify a single subject.
+
+        Parameters
+        ----------
+        provenance_payload : InTotoPayload
+            The provenance payload.
+        purl : PackageURL
+            The PackageURL identifying the matching subject.
+
+        Returns
+        -------
+        InTotoV01Subject | InTotoV1ResourceDescriptor | None
+            The subject in the provenance matching the given PURL.
+        """

tests/artifact/test_maven.py

@@ -6,8 +6,7 @@
 import pytest
 from packageurl import PackageURL
 
-from macaron.artifact.maven import MavenArtifact, MavenArtifactType
-# , MavenSubjectPURLMatcher
+from macaron.artifact.maven import MavenArtifact, MavenArtifactType, MavenSubjectPURLMatcher
 from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, validate_intoto_payload