oracle
diff --git a/‎src/macaron/__main__.py
Lines changed: 3 additions & 0 deletions b/‎src/macaron/__main__.py
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/macaron/config/defaults.ini
Lines changed: 12 additions & 0 deletions b/‎src/macaron/config/defaults.ini
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/macaron/errors.py
Lines changed: 8 additions & 0 deletions b/‎src/macaron/errors.py
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/macaron/slsa_analyzer/analyze_context.py
Lines changed: 5 additions & 1 deletion b/‎src/macaron/slsa_analyzer/analyze_context.py
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/macaron/slsa_analyzer/analyzer.py
Lines changed: 16 additions & 1 deletion b/‎src/macaron/slsa_analyzer/analyzer.py
Lines changed: 16 additions & 1 deletion
diff --git a/‎src/macaron/slsa_analyzer/build_tool/gradle.py
Lines changed: 29 additions & 0 deletions b/‎src/macaron/slsa_analyzer/build_tool/gradle.py
Lines changed: 29 additions & 0 deletions
@@ -22,6 +22,7 @@
 from macaron.policy_engine.policy_engine import run_policy_engine, show_prelude
 from macaron.slsa_analyzer.analyzer import Analyzer
 from macaron.slsa_analyzer.git_service import GIT_SERVICES
+from macaron.slsa_analyzer.package_registry import PACKAGE_REGISTRIES
 
 logger: logging.Logger = logging.getLogger(__name__)
 
@@ -142,6 +143,8 @@ def perform_action(action_args: argparse.Namespace) -> None:
             try:
                 for git_service in GIT_SERVICES:
                     git_service.load_defaults()
+                for package_registry in PACKAGE_REGISTRIES:
+                    package_registry.load_defaults()
             except ConfigurationError as error:
                 logger.error(error)
                 sys.exit(os.EX_USAGE)
 
@@ -337,3 +337,15 @@ provenance_extensions =
 max_download_size = 70000000
 # This is the timeout (in seconds) to run the SLSA verifier.
 timeout = 120
+
+# Witness provenance.
+# [provenance.witness]
+# # The allowed values of the `predicateType` field (data type: list).
+# predicate_types =
+#     https://witness.testifysec.com/attestation-collection/v0.1
+
+# Package registries.
+# [package_registry.jfrog.maven]
+# In this example, the Maven package registry can be accessed at https://internal.registry.org/maven-repo.
+# repo_url = https://internal.registry.org
+# repo_key = maven-repo
@@ -30,3 +30,11 @@ class ConfigurationError(MacaronError):
 
 class CloneError(MacaronError):
     """Happens when cannot clone a git repository."""
+
+
+class ProvenanceDownloadError(MacaronError):
+    """Happens when there is an issue downloading a provenance asset."""
+
+
+class ProvenanceLoadError(MacaronError):
+    """Happens when there is an issue decoding and loading a provenance from a provenance asset."""
@@ -21,6 +21,7 @@
 from macaron.slsa_analyzer.slsa_req import ReqName, SLSAReq, get_requirements_dict
 from macaron.slsa_analyzer.specs.build_spec import BuildSpec
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo
+from macaron.slsa_analyzer.specs.package_registry_data import PackageRegistryData
 
 logger: logging.Logger = logging.getLogger(__name__)
 
@@ -38,6 +39,8 @@ class ChecksOutputs(TypedDict):
     """True if we cannot find the provenance and Macaron need to infer the provenance."""
     expectation: Expectation | None
     """The expectation to verify the provenance for this repository."""
+    package_registries: list[PackageRegistryData]
+    """The package registries for this repository."""
 
 
 class AnalyzeContext:
@@ -118,6 +121,7 @@ def __init__(
             git_service=NoneGitService(),
             build_spec=BuildSpec(tools=[]),
             ci_services=[],
+            package_registries=[],
             is_inferred_prov=True,
             expectation=None,
         )
@@ -134,7 +138,7 @@ def provenances(self) -> dict:
         """
         try:
             ci_services = self.dynamic_data["ci_services"]
-            result = {}
+            result = {}  # key: ci service's name; values: list of provenances (in Json)
             for ci_info in ci_services:
                 result[ci_info["service"].name] = ci_info["provenances"]
             return result
 
@@ -41,10 +41,12 @@
 from macaron.slsa_analyzer.database_store import store_analysis_to_db, store_analyze_context_to_db
 from macaron.slsa_analyzer.git_service import GIT_SERVICES, BaseGitService
 from macaron.slsa_analyzer.git_service.base_git_service import NoneGitService
+from macaron.slsa_analyzer.package_registry import PACKAGE_REGISTRIES
 from macaron.slsa_analyzer.provenance.expectations.expectation_registry import ExpectationRegistry
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo
 from macaron.slsa_analyzer.specs.inferred_provenance import Provenance
+from macaron.slsa_analyzer.specs.package_registry_data import PackageRegistryData
 
 logger: logging.Logger = logging.getLogger(__name__)
 
@@ -664,7 +666,7 @@ def perform_checks(self, analyze_ctx: AnalyzeContext) -> dict[str, CheckResult]:
             ci_service.load_defaults()
             ci_service.set_api_client()
 
-            if ci_service.is_detected(analyze_ctx.git_obj.path):
+            if ci_service.is_detected(analyze_ctx.git_obj.path, analyze_ctx.dynamic_data["git_service"]):
                 logger.info("The repo uses %s CI service.", ci_service.name)
 
                 # Parse configuration files and generate IRs.
@@ -684,6 +686,19 @@ def perform_checks(self, analyze_ctx: AnalyzeContext) -> dict[str, CheckResult]:
                     )
                 )
 
+        # Determine the package registries.
+        # We match the repo against package registries through build tools.
+        build_tools = analyze_ctx.dynamic_data["build_spec"]["tools"]
+        for package_registry in PACKAGE_REGISTRIES:
+            for build_tool in build_tools:
+                if package_registry.is_detected(build_tool):
+                    analyze_ctx.dynamic_data["package_registries"].append(
+                        PackageRegistryData(
+                            build_tool=build_tool,
+                            package_registry=package_registry,
+                        )
+                    )
+
         # TODO: Get the list of skipped checks from user configuration
         skipped_checks: list[SkippedInfo] = []
 
 
@@ -8,6 +8,7 @@
 
 import logging
 import os
+import subprocess  # nosec B404
 
 from macaron.config.defaults import defaults
 from macaron.config.global_config import global_config
@@ -135,3 +136,31 @@ def get_dep_analyzer(self, repo_path: str) -> CycloneDxGradle:
             )
 
         raise DependencyAnalyzerError(f"Unsupported SBOM generator for Gradle: {tool_name}.")
+
+    def get_group_id(self, project_path: str) -> str | None:
+        """Get the group id of a Java repository.
+
+        Parameters
+        ----------
+        project_path : str
+            Path to the repository.
+        """
+        try:
+            result = subprocess.run(  # nosec B603
+                ["./gradlew", "properties"],
+                capture_output=True,
+                cwd=project_path,
+                check=False,
+            )
+        except (subprocess.CalledProcessError, OSError) as error:
+            logger.info("Could not capture the group id of the repo at %s", project_path)
+            logger.debug("Error: %s", error)
+            return None
+
+        lines = result.stdout.decode().split("\n")
+        for line in lines:
+            if line.startswith("group: "):
+                return line.replace("group: ", "")
+
+        logger.debug("Could not capture the group id of the repo at %s", project_path)
+        return None