oracle · behnazh-w · May 8, 2024 · May 7, 2024
@@ -761,28 +761,40 @@ $RUN_POLICY -f $POLICY_FILE -d "$WORKSPACE/output/macaron.db" || log_fail
 check_or_update_expected_output $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail
 
 echo -e "\n----------------------------------------------------------------------------------"
-echo "behnazh-w/example-maven-app as a local repository"
-echo "Test Witness provenance as an input, Cue expectation validation, Policy CLI and VSA generation."
+echo "behnazh-w/example-maven-app as a local and remote repository"
+echo "Test the Witness and GitHub provenances as an input, Cue expectation validation, Policy CLI and VSA generation."
 echo -e "----------------------------------------------------------------------------------\n"
 RUN_POLICY="macaron verify-policy"
 POLICY_FILE=$WORKSPACE/tests/policy_engine/resources/policies/example-maven-project/policy.dl
 POLICY_RESULT=$WORKSPACE/output/policy_report.json
 POLICY_EXPECTED=$WORKSPACE/tests/policy_engine/expected_results/example-maven-project/example_maven_project_policy_report.json
 VSA_RESULT=$WORKSPACE/output/vsa.intoto.jsonl
-VSA_PAYLOAD_EXPECTED=$WORKSPACE/tests/vsa/integration/local_witness_example-maven-project/vsa_payload.json
-EXPECTATION_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/example-maven-project.cue
-PROVENANCE_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/resources/valid_provenances/example-maven-project.json
+VSA_PAYLOAD_EXPECTED=$WORKSPACE/tests/vsa/integration/example-maven-project/vsa_payload.json
+
+# Test the local repo with Witness provenance.
+WITNESS_EXPECTATION_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/witness-example-maven-project.cue
+WITNESS_PROVENANCE_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/resources/valid_provenances/witness-example-maven-project.json
 
 # Cloning the repository locally
 git clone https://github.com/behnazh-w/example-maven-app.git $WORKSPACE/output/git_repos/local_repos/example-maven-app || log_fail
 
-$RUN_MACARON analyze -pf $PROVENANCE_FILE -pe $EXPECTATION_FILE -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar --repo-path example-maven-app --skip-deps || log_fail
+# Check the Witness provenance.
+$RUN_MACARON analyze -pf $WITNESS_PROVENANCE_FILE -pe $WITNESS_EXPECTATION_FILE -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar --repo-path example-maven-app --skip-deps || log_fail
+
+# Test the remote repo with GitHub provenance.
+GITHUB_EXPECTATION_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/github-example-maven-project.cue
+GITHUB_PROVENANCE_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/resources/valid_provenances/github-example-maven-project.json
+
+# Check the GitHub provenance.
+$RUN_MACARON analyze -pf $GITHUB_PROVENANCE_FILE -pe $GITHUB_EXPECTATION_FILE -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar --skip-deps || log_fail
 
+# Verify the policy and VSA for all the software components generated from behnazh-w/example-maven-app repo.
 $RUN_POLICY -f $POLICY_FILE -d "$WORKSPACE/output/macaron.db" || log_fail
 
-check_or_update_expected_output $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail
+check_or_update_expected_output "$COMPARE_POLICIES" "$POLICY_RESULT" "$POLICY_EXPECTED" || log_fail
 check_or_update_expected_output "$COMPARE_VSA" "$VSA_RESULT" "$VSA_PAYLOAD_EXPECTED" || log_fail
 
+
 # Testing the Repo Finder's remote calls.
 # This requires the 'packageurl' Python module
 echo -e "\n----------------------------------------------------------------------------------"

@@ -161,25 +161,37 @@ python $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail
 python "$COMPARE_VSA" "$VSA_RESULT" "$VSA_PAYLOAD_EXPECTED" || log_fail
 
 echo -e "\n----------------------------------------------------------------------------------"
-echo "behnazh-w/example-maven-app as a local repository"
-echo "Test Witness provenance as an input, Cue expectation validation, Policy CLI and VSA generation."
+echo "behnazh-w/example-maven-app as a local and remote repository"
+echo "Test the Witness and GitHub provenances as an input, Cue expectation validation, Policy CLI and VSA generation."
 echo -e "----------------------------------------------------------------------------------\n"
+RUN_POLICY="macaron verify-policy"
 POLICY_FILE=$WORKSPACE/tests/policy_engine/resources/policies/example-maven-project/policy.dl
 POLICY_RESULT=$WORKSPACE/output/policy_report.json
 POLICY_EXPECTED=$WORKSPACE/tests/policy_engine/expected_results/example-maven-project/example_maven_project_policy_report.json
 VSA_RESULT=$WORKSPACE/output/vsa.intoto.jsonl
-VSA_PAYLOAD_EXPECTED=$WORKSPACE/tests/vsa/integration/local_witness_example-maven-project/vsa_payload.json
-EXPECTATION_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/example-maven-project.cue
-PROVENANCE_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/resources/valid_provenances/example-maven-project.json
+VSA_PAYLOAD_EXPECTED=$WORKSPACE/tests/vsa/integration/example-maven-project/vsa_payload.json
+
+# Test the local repo with Witness provenance.
+WITNESS_EXPECTATION_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/witness-example-maven-project.cue
+WITNESS_PROVENANCE_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/resources/valid_provenances/witness-example-maven-project.json
 
 # Cloning the repository locally
 git clone https://github.com/behnazh-w/example-maven-app.git $WORKSPACE/output/git_repos/local_repos/example-maven-app || log_fail
 
-$RUN_MACARON_SCRIPT analyze -pf $PROVENANCE_FILE -pe $EXPECTATION_FILE -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar --repo-path example-maven-app --skip-deps || log_fail
+# Check the Witness provenance.
+$RUN_MACARON_SCRIPT analyze -pf $WITNESS_PROVENANCE_FILE -pe $WITNESS_EXPECTATION_FILE -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar --repo-path example-maven-app --skip-deps || log_fail
+
+# Test the remote repo with GitHub provenance.
+GITHUB_EXPECTATION_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/github-example-maven-project.cue
+GITHUB_PROVENANCE_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/resources/valid_provenances/github-example-maven-project.json
 
+# Check the GitHub provenance.
+$RUN_MACARON_SCRIPT analyze -pf $GITHUB_PROVENANCE_FILE -pe $GITHUB_EXPECTATION_FILE -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar --skip-deps || log_fail
+
+# Verify the policy and VSA for all the software components generated from behnazh-w/example-maven-app repo.
 $RUN_MACARON_SCRIPT verify-policy -f $POLICY_FILE -d "$WORKSPACE/output/macaron.db" || log_fail
 
-python $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail
+python "$COMPARE_POLICIES" "$POLICY_RESULT" "$POLICY_EXPECTED" || log_fail
 python "$COMPARE_VSA" "$VSA_RESULT" "$VSA_PAYLOAD_EXPECTED" || log_fail
 
 echo -e "\n----------------------------------------------------------------------------------"

@@ -3,11 +3,15 @@
 
 """This module declares types and utilities for Maven artifacts."""
 
+from collections.abc import Sequence
+
 from packageurl import PackageURL
 
+from macaron.config.defaults import defaults
 from macaron.slsa_analyzer.provenance.intoto import InTotoPayload
 from macaron.slsa_analyzer.provenance.intoto.v01 import InTotoV01Subject
 from macaron.slsa_analyzer.provenance.intoto.v1 import InTotoV1ResourceDescriptor
+from macaron.slsa_analyzer.provenance.slsa import extract_build_artifacts_from_slsa_subjects, is_slsa_provenance_payload
 from macaron.slsa_analyzer.provenance.witness import (
     extract_build_artifacts_from_witness_subjects,
     is_witness_provenance_payload,
@@ -46,15 +50,29 @@ def get_subject_in_provenance_matching_purl(
         if purl.type != "maven":
             return None
 
-        if not is_witness_provenance_payload(
+        artifact_subjects: Sequence[InTotoV01Subject | InTotoV1ResourceDescriptor] = []
+        if is_witness_provenance_payload(
             payload=provenance_payload,
             predicate_types=load_witness_verifier_config().predicate_types,
         ):
+            artifact_subjects = extract_build_artifacts_from_witness_subjects(provenance_payload)
+        elif is_slsa_provenance_payload(
+            payload=provenance_payload,
+            predicate_types=defaults.get_list(
+                "slsa.verifier",
+                "predicate_types",
+                fallback=[],
+            ),
+        ):
+            artifact_subjects = extract_build_artifacts_from_slsa_subjects(provenance_payload)
+        else:
             return None
-        artifact_subjects = extract_build_artifacts_from_witness_subjects(provenance_payload)
 
         for subject in artifact_subjects:
-            _, _, artifact_filename = subject["name"].rpartition("/")
+            subject_name = subject["name"]
+            if not subject_name:
+                continue
+            _, _, artifact_filename = subject_name.rpartition("/")
             subject_purl = create_maven_purl_from_artifact_filename(
                 artifact_filename=artifact_filename,
                 group_id=purl.namespace,

@@ -476,6 +476,9 @@ max_download_size = 70000000
 timeout = 120
 # The allowed hostnames for URL file links for provenance download
 url_link_hostname_allowlist =
+predicate_types =
+    https://slsa.dev/provenance/v0.2
+    https://slsa.dev/provenance/v1
 
 # Witness provenance. See: https://github.com/testifysec/witness.
 [provenance.witness]

@@ -366,6 +366,8 @@ def run_single(
             analyze_ctx.component.purl.split("@")[0]
         )
         analyze_ctx.dynamic_data["provenance"] = provenance_payload
+        if provenance_payload:
+            analyze_ctx.dynamic_data["is_inferred_prov"] = False
         analyze_ctx.check_results = self.perform_checks(analyze_ctx)
 
         return Record(

@@ -7,6 +7,7 @@
 import configparser
 import gzip
 import json
+import logging
 import zlib
 from urllib.parse import urlparse
 
@@ -15,6 +16,8 @@
 from macaron.slsa_analyzer.provenance.intoto.errors import LoadIntotoAttestationError, ValidateInTotoPayloadError
 from macaron.util import JsonType, send_get_http_raw
 
+logger: logging.Logger = logging.getLogger(__name__)
+
 
 def _try_read_url_link_file(file_content: bytes) -> str | None:
     parser = configparser.ConfigParser()
@@ -70,7 +73,15 @@ def _load_provenance_file_content(
             "Cannot deserialize the file content as JSON.",
         ) from error
 
-    provenance_payload = provenance.get("payload", None)
+    # The GitHub Attestation stores the DSSE envelope in `dsseEnvelope` property.
+    dsse_envelope = provenance.get("dsseEnvelope", None)
+    if dsse_envelope:
+        provenance_payload = dsse_envelope.get("payload", None)
+        logger.debug("Found dsseEnvelope property in the provenance.")
+    else:
+        # Some provenances, such as Witness may not include the DSSE envelope `dsseEnvelope`
+        # property but contain its value directly.
+        provenance_payload = provenance.get("payload", None)
     if not provenance_payload:
         raise LoadIntotoAttestationError(
             'Cannot find the "payload" field in the decoded provenance.',
@@ -104,6 +115,14 @@ def load_provenance_file(filepath: str) -> dict[str, JsonType]:
     a "URL" field inside an "InternetShortcut" section), it will be transparently
     downloaded.
 
+    Note: We have observed that GitHub provenances store the DSSE envelope using the
+    `dsseEnvelope` property in the bundle. The bundle also includes Sigstore verification
+    material, such as `publicKey` and `x509CertificateChain`. However, provenances generated by
+    Witness and SLSA GitHub generator store the DSSE envelope content only.
+    This function supports both types of provenances. See the Sigstore bundle schema, which is
+    used in GitHub provenances:
+    https://github.com/sigstore/protobuf-specs/blob/2bfc122984e8c30fc83f5892b2947af7d113b411/gen/jsonschema/schemas/Bundle.schema.json
+
     Parameters
     ----------
     filepath : str

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module implements SLSA provenance abstractions."""
@@ -7,6 +7,8 @@
 
 from macaron.slsa_analyzer.asset import AssetLocator
 from macaron.slsa_analyzer.provenance.intoto import InTotoPayload
+from macaron.slsa_analyzer.provenance.intoto.v01 import InTotoV01Subject
+from macaron.slsa_analyzer.provenance.intoto.v1 import InTotoV1ResourceDescriptor
 
 
 class SLSAProvenanceData(NamedTuple):
@@ -16,3 +18,56 @@ class SLSAProvenanceData(NamedTuple):
     asset: AssetLocator
     #: The provenance payload.
     payload: InTotoPayload
+
+
+def extract_build_artifacts_from_slsa_subjects(
+    payload: InTotoPayload,
+) -> list[InTotoV01Subject | InTotoV1ResourceDescriptor]:
+    """Extract subjects that are build artifacts from the ``"subject"`` field of the provenance.
+
+    Each artifact subject is assumed to have a sha256 digest. If a sha256 digest is not present for
+    a subject, that subject is ignored.
+
+    Parameters
+    ----------
+    payload : InTotoPayload
+        The provenance payload.
+
+    Returns
+    -------
+    list[InTotoV01Subject | InTotoV1ResourceDescriptor]
+        A list of subjects in the ``"subject"`` field of the provenance that are build artifacts.
+    """
+    subjects = payload.statement["subject"]
+    artifact_subjects = []
+    for subject in subjects:
+        digest = subject["digest"]
+        if not digest:
+            continue
+        sha256 = digest.get("sha256")
+        if not sha256 or not isinstance(sha256, str):
+            continue
+        artifact_subjects.append(subject)
+
+    return artifact_subjects
+
+
+def is_slsa_provenance_payload(
+    payload: InTotoPayload,
+    predicate_types: list[str],
+) -> bool:
+    """Check if the given provenance payload is a SLSA provenance payload.
+
+    Parameters
+    ----------
+    payload : InTotoPayload
+        The provenance payload.
+    predicate_types : list[str]
+        The allowed values for the ``"predicateType"`` field of the provenance payload.
+
+    Returns
+    -------
+    bool
+        ``True`` if the payload is a witness provenance payload, ``False`` otherwise.
+    """
+    return payload.statement["predicateType"] in predicate_types
@@ -3,12 +3,17 @@
         [
             "1",
             "pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar",
-            "gh_witness_provenance_policy"
+            "example_maven_app_policy"
+        ],
+        [
+            "2",
+            "pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar",
+            "example_maven_app_policy"
         ]
     ],
     "passed_policies": [
         [
-            "gh_witness_provenance_policy"
+            "example_maven_app_policy"
         ]
     ],
     "component_violates_policy": [],

@@ -3,13 +3,13 @@
 
 #include "prelude.dl"
 
-Policy("gh_witness_provenance_policy", component_id, "Policy for github Maven project with witness provenances") :-
+Policy("example_maven_app_policy", component_id, "Policy for github Maven project with Witness and GitHub provenances") :-
     check_passed(component_id, "mcn_build_service_1"),
     check_passed(component_id, "mcn_build_script_1"),
     check_passed(component_id, "mcn_provenance_available_1"),
     check_passed(component_id, "mcn_provenance_expectation_1").
 
-apply_policy_to("gh_witness_provenance_policy", component_id) :-
+apply_policy_to("example_maven_app_policy", component_id) :-
     is_repo(
       _,  // repo_id
       "github.com/behnazh-w/example-maven-app",  // http URL to the repo but without the "http://"

@@ -0,0 +1,14 @@
+{
+    target: "pkg:maven/io.github.behnazh-w.demo/example-maven-app",
+    predicate: {
+        buildDefinition: {
+            externalParameters: {
+                workflow: {
+                    ref: "refs/heads/main",
+                    repository: "https://github.com/behnazh-w/example-maven-app",
+                    path: ".github/workflows/main.yaml"
+                }
+            }
+        }
+    }
+}