Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for JFrog Artifactory and witness provenances produced on GitLab CI #349

Merged
merged 42 commits into from
Aug 22, 2023
Merged

feat: add support for JFrog Artifactory and witness provenances produced on GitLab CI #349

merged 42 commits into from
Aug 22, 2023

Conversation

nathanwn
Copy link
Member

@nathanwn nathanwn commented Jun 29, 2023
edited
Loading

This pull request adds the following features to Macaron:

  1. Support downloading artifacts and provenances from a JFrog Maven package registry.
  2. A new check for provenances produced by witness.

Note that these will only work for repositories built with Gradle for now. Support for Maven will be added later.

JFrog Maven package registry

A JFrog Maven package registry is a JFrog Artifactory instance that acts as a Maven repository. In SLSA terms, we call it a JFrog Maven package registry from here on out.

We are making the assumption that artifacts and provenances can be hosted on a JFrog Maven package registry. This pull request allows Macaron to discover artifacts and provenances on such a registry for analysis.

Another assumption is that an artifact and a corresponding provenance are hosted next to each other on the JFrog Maven package registry, i.e. if the artifact is hosted at https://some/url/of/groupid/artifactid/version/*.jar, then the corresponding provenance is hosted at https://some/url/of/groupid/artifactid/version/*.intoto.jsonl.

For Macaron to be aware of a JFrog Maven package registry, the user needs to provide the following section in the .ini config file:

[package_registry.jfrog.maven]
# In this example, the Maven package registry can be accessed at https://internal.registry.org/maven-repo.
domain = internal.registry.org
repo = maven-repo
download_timeout = 120

For Macaron to recognize a repository to possibly publish artifacts onto some JFrog Maven package registry, the repository must have Gradle as its build tool. Support for other build tools such as Maven will be added later.

The mcn_provenance_witness_level_one_1 check

This new mcn_provenance_witness_level_one_1 check is added as a witness-specific replacement for mcn_provenance_level_three_1, which currently only supports SLSA provenances generated by slsa-github-generator.

In this PR, this check only verifies that the digest of each jar file could be found somewhere in the corresponding witness provenance.

For this check to be effective, the following section must be provided in the .ini config:

# Witness provenance.
[provenance.witness]
# The allowed values of the `predicateType` field (data type: list).
predicate_types =
    https://witness.testifysec.com/attestation-collection/v0.1
artifact_extensions =
    jar

The following diagram shows a brief summary of the check's logical flow.

jfrogmaven drawio

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jun 29, 2023
@nathanwn nathanwn changed the title feat: add support for JFrog Maven artifactory feat: add support for JFrog Maven package registry Jun 29, 2023
@nathanwn nathanwn force-pushed the jfrog-maven branch 2 times, most recently from 95e3282 to 3be6cce Compare June 29, 2023 00:48
@nathanwn nathanwn changed the title feat: add support for JFrog Maven package registry feat: add support for JFrog Maven package registry and witness provenance Jul 7, 2023
@nathanwn nathanwn changed the title feat: add support for JFrog Maven package registry and witness provenance feat: add support for JFrog Maven package registry and witness provenances Jul 7, 2023
@nathanwn nathanwn self-assigned this Jul 7, 2023
@nathanwn nathanwn added checks The issues related to Macaron checks package_registries The issues related to package registries labels Jul 7, 2023
@nathanwn nathanwn force-pushed the jfrog-maven branch 2 times, most recently from 1643f0e to b3dff61 Compare July 8, 2023 12:02
@behnazh-w behnazh-w requested a review from nicallen July 10, 2023 00:57
behnazh-w
behnazh-w reviewed Jul 10, 2023
View reviewed changes
src/macaron/slsa_analyzer/build_tool/gradle.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/checks/provenance_available_check.py Show resolved Hide resolved
src/macaron/slsa_analyzer/checks/provenance_available_check.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/checks/provenance_available_check.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/checks/provenance_available_check.py Show resolved Hide resolved
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/checks/provenance_available_check.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/checks/provenance_available_check.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/loader.py Outdated Show resolved Hide resolved
@nathanwn nathanwn force-pushed the jfrog-maven branch 3 times, most recently from 4a38a8e to ad8528f Compare July 27, 2023 05:37
@nathanwn nathanwn marked this pull request as ready for review August 7, 2023 05:16
behnazh-w
behnazh-w reviewed Aug 14, 2023
View reviewed changes
src/macaron/config/defaults.ini Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/ci_service/base_ci_service.py Show resolved Hide resolved
src/macaron/slsa_analyzer/asset/__init__.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/asset/__init__.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/witness.py Outdated Show resolved Hide resolved
tests/e2e/expected_results/micronaut-core/micronaut-core.json Outdated Show resolved Hide resolved
tests/e2e/expected_results/urllib3/urllib3.json Outdated Show resolved Hide resolved
tests/e2e/expected_results/urllib3/urllib3_cue_invalid.json Outdated Show resolved Hide resolved
tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json Outdated Show resolved Hide resolved
behnazh-w
behnazh-w reviewed Aug 22, 2023
View reviewed changes
src/macaron/slsa_analyzer/provenance/provenance.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/provenance.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/intoto/__init__.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/intoto/__init__.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/intoto/__init__.py Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/intoto/v01/__init__.py Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/intoto/v01/__init__.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/intoto/__init__.py Outdated Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/intoto/v01/__init__.py Show resolved Hide resolved
src/macaron/slsa_analyzer/provenance/intoto/v01/__init__.py Outdated Show resolved Hide resolved
@nathanwn nathanwn changed the title feat: add support for JFrog Maven package registry and witness provenances feat: add support for JFrog Artifactory and Witness provenances Aug 22, 2023
@nathanwn nathanwn changed the title feat: add support for JFrog Artifactory and Witness provenances feat: add support for JFrog Artifactory and witness provenances produced on GitLab CI Aug 22, 2023
@nathanwn nathanwn merged commit c3a9a08 into staging Aug 22, 2023
11 checks passed
@behnazh-w behnazh-w mentioned this pull request Aug 23, 2023
Closed
@nathanwn nathanwn deleted the jfrog-maven branch October 26, 2023 05:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicallen nicallen nicallen approved these changes

@behnazh-w behnazh-w behnazh-w approved these changes

@tromai tromai tromai approved these changes

Assignees

@nathanwn nathanwn

Labels
checks The issues related to Macaron checks OCA Verified All contributors have signed the Oracle Contributor Agreement. package_registries The issues related to package registries
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nathanwn @nicallen @behnazh-w @tromai