feat: add support for python packaging and publishing tools in build_as_code and build_service checks

sophie-bates · sophie-bates · commit 9ad67a9ef162 · 2023-03-17T10:40:13.000+10:00
Signed-off-by: sophie-bates &lt;sophie.bates@oracle.com&gt;
diff --git a/src/macaron/config/defaults.ini b/src/macaron/config/defaults.ini
@@ -218,11 +218,44 @@ entry_conf =
     setup.cfg
     pyproject.toml
 build_configs =
+packager =
+    pip
+    pip3
+    flit
+    conda
+publisher =
+    twine
+    flit
+    conda
+builder_module =
+    python
+    python3
+build_arg =
+    install
+    build
+    setup.py
+deploy_arg =
+    publish
+    upload
+[builder.pip.ci.deploy]
+github_actions = pypa/gh-action-pypi-publish
 
 # This is the spec for trusted Poetry packaging tools.
 [builder.poetry]
 entry_conf = pyproject.toml
 build_configs = poetry.lock
+builder =
+    poetry
+    poetry-core
+builder_module =
+    python
+    python3
+build_arg =
+    build
+deploy_arg =
+    publish
+[builder.poetry.ci.deploy]
+github_actions = pypa/gh-action-pypi-publish
 
 # This is the spec for GitHub Actions CI.
 [ci.github_actions]
diff --git a/src/macaron/slsa_analyzer/build_tool/base_build_tool.py b/src/macaron/slsa_analyzer/build_tool/base_build_tool.py
@@ -56,6 +56,9 @@ def __init__(self, name: str) -> None:
         self.entry_conf: list[str] = []
         self.build_configs: list[str] = []
         self.builder: list[str] = []
+        self.packager: list[str] = []
+        self.publisher: list[str] = []
+        self.builder_module: list[str] = []
         self.build_arg: list[str] = []
         self.deploy_arg: list[str] = []
         self.ci_build_kws: dict[str, list[str]] = {
diff --git a/src/macaron/slsa_analyzer/build_tool/pip.py b/src/macaron/slsa_analyzer/build_tool/pip.py
@@ -29,6 +29,11 @@ def load_defaults(self) -> None:
                 if hasattr(self, item):
                     setattr(self, item, defaults.get_list("builder.pip", item))
 
+        if "builder.pip.ci.deploy" in defaults:
+            for item in defaults["builder.pip.ci.deploy"]:
+                if item in self.ci_deploy_kws:
+                    self.ci_deploy_kws[item] = defaults.get_list("builder.pip.ci.deploy", item)
+
     def is_detected(self, repo_path: str) -> bool:
         """Return True if this build tool is used in the target repo.
 
diff --git a/src/macaron/slsa_analyzer/build_tool/poetry.py b/src/macaron/slsa_analyzer/build_tool/poetry.py
@@ -33,6 +33,11 @@ def load_defaults(self) -> None:
                 if hasattr(self, item):
                     setattr(self, item, defaults.get_list("builder.poetry", item))
 
+        if "builder.pip.ci.deploy" in defaults:
+            for item in defaults["builder.pip.ci.deploy"]:
+                if item in self.ci_deploy_kws:
+                    self.ci_deploy_kws[item] = defaults.get_list("builder.pip.ci.deploy", item)
+
     def is_detected(self, repo_path: str) -> bool:
         """Return True if this build tool is used in the target repo.
 
@@ -56,6 +61,8 @@ def is_detected(self, repo_path: str) -> bool:
             files_detected = glob.glob(pattern, recursive=True)
 
             if files_detected:
+                # TODO: this implementation assumes one build type, so when multiple build types are supported, this
+                # needs to be updated.
                 # Take the highest level file, if there are two at the same level, take the first in the list.
                 file_path = min(files_detected, key=lambda x: len(Path(x).parts))
                 try:
diff --git a/src/macaron/slsa_analyzer/checks/build_as_code_check.py b/src/macaron/slsa_analyzer/checks/build_as_code_check.py
@@ -1,17 +1,19 @@
-# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the BuildAsCodeCheck class."""
 
 import logging
 import os
 
+from macaron.config.defaults import defaults
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool, NoneBuildTool
 from macaron.slsa_analyzer.checks.base_check import BaseCheck
 from macaron.slsa_analyzer.checks.check_result import CheckResult, CheckResultType
 from macaron.slsa_analyzer.ci_service.base_ci_service import NoneCIService
 from macaron.slsa_analyzer.ci_service.circleci import CircleCI
+from macaron.slsa_analyzer.ci_service.github_actions import GHWorkflowType
 from macaron.slsa_analyzer.ci_service.gitlab_ci import GitLabCI
 from macaron.slsa_analyzer.ci_service.jenkins import Jenkins
 from macaron.slsa_analyzer.ci_service.travis import Travis
@@ -50,23 +52,43 @@ def __init__(self) -> None:
     def _has_deploy_command(self, commands: list[list[str]], build_tool: BaseBuildTool) -> str:
         """Check if the bash command is a build and deploy command."""
         for com in commands:
+
             # Check for empty or invalid commands.
             if not com or not com[0]:
                 continue
             # The first argument in a bash command is the program name.
             # So first check that the program name is a supported build tool name.
             # We need to handle cases where the the first argument is a path to the program.
+            # TODO: support for not being a supported build tool first
             cmd_program_name = os.path.basename(com[0])
             if not cmd_program_name:
                 logger.debug("Found invalid program name %s.", com[0])
                 continue
-            if any(build_cmd for build_cmd in build_tool.builder if build_cmd == cmd_program_name):
-                # Check the arguments in the bash command for the deploy goals.
-                # If there are no deploy args for this build tool, accept as deploy command.
+
+            # Account for Python projects having separate tools for packaging and publishing.
+            if build_tool.publisher:
+                deploy_tool = build_tool.publisher
+            else:
+                deploy_tool = build_tool.builder
+
+            check_build_commands = any(build_cmd for build_cmd in deploy_tool if build_cmd == cmd_program_name)
+
+            # Support the use of python modules, i.e. 'python -m pip install'
+            check_module_build_commands = any(
+                module == cmd_program_name and com[1] and com[1] == "-m" and com[2] in deploy_tool
+                for module in build_tool.builder_module
+            )
+            prog_name_index = 2 if check_module_build_commands else 0
+
+            # logger.info("com: %s", com[(prog_name_index + 1) :])
+
+            if check_build_commands or check_module_build_commands:
                 if not build_tool.deploy_arg:
                     logger.info("No deploy arguments required. Accept %s as deploy command.", str(com))
                     return str(com)
-                for word in com[1:]:
+                logger.info(build_tool.deploy_arg)
+
+                for word in com[(prog_name_index + 1) :]:
                     # TODO: allow plugin versions in arguments, e.g., maven-plugin:1.6.8:deploy.
                     if word in build_tool.deploy_arg:
                         logger.info("Found deploy command %s.", str(com))
@@ -90,7 +112,7 @@ def run_check(self, ctx: AnalyzeContext, check_result: CheckResult) -> CheckResu
         """
         # Get the build tool identified by the mcn_version_control_system_1, which we depend on.
         build_tool = ctx.dynamic_data["build_spec"].get("tool")
-        ci_services = ctx.dynamic_data["ci_services"]
+        ci_services = ctx.dynamic_data["ci_services"]  # keep storing things here
 
         # Checking if a build tool is discovered for this repo.
         if build_tool and not isinstance(build_tool, NoneBuildTool):
@@ -99,6 +121,67 @@ def run_check(self, ctx: AnalyzeContext, check_result: CheckResult) -> CheckResu
                 # Checking if a CI service is discovered for this repo.
                 if isinstance(ci_service, NoneCIService):
                     continue
+
+                trusted_deploy_actions = defaults.get_list("builder.pip.ci.deploy", "github_actions", fallback=[])
+
+                # Check for use of a trusted Github Action to publish/deploy.
+                # TODO: verify that deplyment is legitimate and not a test
+                if trusted_deploy_actions:
+                    for callee in ci_info["callgraph"].bfs():
+                        workflow_name = callee.name.split("@")[0]
+
+                        if not workflow_name or callee.node_type not in [
+                            GHWorkflowType.EXTERNAL,
+                            GHWorkflowType.REUSABLE,
+                        ]:
+                            logger.debug("Workflow %s is not relevant. Skipping...", callee.name)
+                            continue
+                        if workflow_name in trusted_deploy_actions:
+                            trigger_link = ci_service.api_client.get_file_link(
+                                ctx.repo_full_name,
+                                ctx.commit_sha,
+                                ci_service.api_client.get_relative_path_of_workflow(
+                                    os.path.basename(callee.caller_path)
+                                ),
+                            )
+                            # TODO: verify that caller_path and CI_PATH are the same
+                            deploy_action_source_link = ci_service.api_client.get_file_link(
+                                ctx.repo_full_name, ctx.commit_sha, callee.caller_path
+                            )
+
+                            html_url = ci_service.has_latest_run_passed(
+                                ctx.repo_full_name,
+                                ctx.branch_name,
+                                ctx.commit_sha,
+                                ctx.commit_date,
+                                os.path.basename(callee.caller_path),
+                            )
+
+                            # TODO: include in the justification multiple cases of external action usage
+                            justification: list[str | dict[str, str]] = [
+                                {
+                                    f"The target repository uses build tool {build_tool.name}"
+                                    " to deploy": deploy_action_source_link,
+                                    "The build is triggered by": trigger_link,
+                                },
+                                f"Deploy action: {workflow_name}",
+                                {"The status of the build can be seen at": html_url}
+                                if html_url
+                                else "However, could not find a passing workflow run.",
+                            ]
+                            check_result["justification"].extend(justification)
+                            if ctx.dynamic_data["is_inferred_prov"] and ci_info["provenances"]:
+                                predicate = ci_info["provenances"][0]["predicate"]
+                                predicate["buildType"] = f"Custom {ci_service.name}"
+                                predicate["builder"]["id"] = deploy_action_source_link
+                                predicate["invocation"]["configSource"][
+                                    "uri"
+                                ] = f"{ctx.remote_path}@refs/heads/{ctx.branch_name}"
+                                predicate["invocation"]["configSource"]["digest"]["sha1"] = ctx.commit_sha
+                                predicate["invocation"]["configSource"]["entryPoint"] = trigger_link
+                                predicate["metadata"]["buildInvocationId"] = html_url
+                            return CheckResultType.PASSED
+
                 for bash_cmd in ci_info["bash_commands"]:
                     deploy_cmd = self._has_deploy_command(bash_cmd["commands"], build_tool)
                     if deploy_cmd:
@@ -121,7 +204,7 @@ def run_check(self, ctx: AnalyzeContext, check_result: CheckResult) -> CheckResu
                             os.path.basename(bash_cmd["CI_path"]),
                         )
 
-                        justification: list[str | dict[str, str]] = [
+                        justification_cmd: list[str | dict[str, str]] = [
                             {
                                 f"The target repository uses build tool {build_tool.name} to deploy": bash_source_link,
                                 "The build is triggered by": trigger_link,
@@ -131,7 +214,7 @@ def run_check(self, ctx: AnalyzeContext, check_result: CheckResult) -> CheckResu
                             if html_url
                             else "However, could not find a passing workflow run.",
                         ]
-                        check_result["justification"].extend(justification)
+                        check_result["justification"].extend(justification_cmd)
                         if ctx.dynamic_data["is_inferred_prov"] and ci_info["provenances"]:
                             predicate = ci_info["provenances"][0]["predicate"]
                             predicate["buildType"] = f"Custom {ci_service.name}"
diff --git a/src/macaron/slsa_analyzer/checks/build_service_check.py b/src/macaron/slsa_analyzer/checks/build_service_check.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the BuildServiceCheck class."""
@@ -51,13 +51,29 @@ def _has_build_command(self, commands: list[list[str]], build_tool: BaseBuildToo
             if not cmd_program_name:
                 logger.debug("Found invalid program name %s.", com[0])
                 continue
-            if any(build_cmd for build_cmd in build_tool.builder if build_cmd == cmd_program_name):
+
+            if build_tool.packager:
+                builder = build_tool.packager
+            else:
+                builder = build_tool.builder
+
+            check_build_commands = any(build_cmd for build_cmd in builder if build_cmd == cmd_program_name)
+
+            # Support for use of Python modules.
+            check_module_build_commands = any(
+                module == cmd_program_name and com[1] and com[1] == "-m" and com[2] in builder
+                for module in build_tool.builder_module
+            )
+
+            prog_name_index = 2 if check_module_build_commands else 0
+
+            if check_build_commands or check_module_build_commands:
                 # Check the arguments in the bash command for the build goals.
                 # If there are no build args for this build tool, accept as build command.
                 if not build_tool.build_arg:
                     logger.info("No build arguments required. Accept %s as build command.", str(com))
                     return str(com)
-                for word in com[1:]:
+                for word in com[(prog_name_index + 1) :]:
                     # TODO: allow plugin versions in arguments, e.g., maven-plugin:1.6.8:package.
                     if word in build_tool.build_arg:
                         logger.info("Found build command %s.", str(com))
