chore: refactor level 3 provenance check

Signed-off-by: Ben Selwyn-Smith <[email protected]>

Author: benmss

docs/source/pages/developers_guide/apidoc/macaron.repo_finder.rst

@@ -17,22 +17,6 @@ macaron.repo\_finder.commit\_finder module
    :undoc-members:
    :show-inheritance:
 
-macaron.repo\_finder.provenance\_extractor module
--------------------------------------------------
-
-.. automodule:: macaron.repo_finder.provenance_extractor
-   :members:
-   :undoc-members:
-   :show-inheritance:
-
-macaron.repo\_finder.provenance\_finder module
-----------------------------------------------
-
-.. automodule:: macaron.repo_finder.provenance_finder
-   :members:
-   :undoc-members:
-   :show-inheritance:
-
 macaron.repo\_finder.repo\_finder module
 ----------------------------------------
 

docs/source/pages/developers_guide/apidoc/macaron.rst

@@ -20,6 +20,7 @@ Subpackages
    macaron.output_reporter
    macaron.parsers
    macaron.policy_engine
+   macaron.provenance
    macaron.repo_finder
    macaron.repo_verifier
    macaron.slsa_analyzer

src/macaron/database/db_custom_types.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module implements SQLAlchemy type for converting date format to RFC3339 string representation."""
@@ -8,6 +8,8 @@
 
 from sqlalchemy import JSON, String, TypeDecorator
 
+from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, validate_intoto_payload
+
 
 class RFC3339DateTime(TypeDecorator):  # pylint: disable=W0223
     """
@@ -36,7 +38,7 @@ def process_bind_param(self, value: None | Any, dialect: Any) -> None | str:
         if the provided ``datetime`` is a naive ``datetime`` object then UTC is added.
 
         value: None | datetime.datetime
-            The value being stored
+            The value being stored.
         """
         if value is None:
             return None
@@ -52,7 +54,7 @@ def process_result_value(self, value: None | str, dialect: Any) -> None | dateti
         If the deserialized ``datetime`` has a timezone then return it, otherwise add UTC as its timezone.
 
         value: None | str
-            The value being loaded
+            The value being loaded.
         """
         if value is None:
             return None
@@ -76,7 +78,7 @@ def process_bind_param(self, value: None | dict, dialect: Any) -> None | dict:
         """Process when storing a dict object to the SQLite db.
 
         value: None | dict
-            The value being stored
+            The value being stored.
         """
         if not isinstance(value, dict):
             raise TypeError("DBJsonDict type expects a dict.")
@@ -87,8 +89,47 @@ def process_result_value(self, value: None | dict, dialect: Any) -> None | dict:
         """Process when loading a dict object from the SQLite db.
 
         value: None | dict
-            The value being loaded
+            The value being loaded.
         """
         if not isinstance(value, dict):
             raise TypeError("DBJsonDict type expects a dict.")
         return value
+
+
+class ProvenancePayload(TypeDecorator):  # pylint: disable=W0223
+    """SQLAlchemy column type to serialize InTotoProvenance."""
+
+    # It is stored in the database as a json value.
+    impl = JSON
+
+    # To prevent Sphinx from rendering the docstrings for `cache_ok`, make this docstring private.
+    #: :meta private:
+    cache_ok = True
+
+    def process_bind_param(self, value: None | InTotoPayload, dialect: Any) -> None | Any:
+        """Process when storing a dict object to the SQLite db.
+
+        value: None | InTotoPayload
+            The value being stored.
+        """
+        if value is None:
+            return None
+
+        if not isinstance(value, InTotoPayload):
+            raise TypeError("ProvenancePayload type expects an InTotoPayload.")
+
+        return value.statement.get("payload")
+
+    def process_result_value(self, value: None | dict, dialect: Any) -> None | InTotoPayload:
+        """Process when loading a dict object from the SQLite db.
+
+        value: None | dict
+            The value being loaded.
+        """
+        if value is None:
+            return None
+
+        if not isinstance(value, dict):
+            raise TypeError("ProvenancePayload type expects a dict.")
+
+        return validate_intoto_payload(value)

src/macaron/database/table_definitions.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """
@@ -34,7 +34,7 @@
 
 from macaron.artifact.maven import MavenSubjectPURLMatcher
 from macaron.database.database_manager import ORMBase
-from macaron.database.db_custom_types import RFC3339DateTime
+from macaron.database.db_custom_types import ProvenancePayload, RFC3339DateTime
 from macaron.errors import InvalidPURLError
 from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, ProvenanceSubjectPURLMatcher
 from macaron.slsa_analyzer.slsa_req import ReqName
@@ -481,14 +481,26 @@ class Provenance(ORMBase):
     #: The SLSA version.
     version: Mapped[str] = mapped_column(String, nullable=False)
 
+    #: The SLSA level.
+    slsa_level: Mapped[int] = mapped_column(Integer, default=0)
+
     #: The release tag commit sha.
     release_commit_sha: Mapped[str] = mapped_column(String, nullable=True)
 
     #: The release tag.
     release_tag: Mapped[str] = mapped_column(String, nullable=True)
 
-    #: The provenance payload content in JSON format.
-    provenance_json: Mapped[str] = mapped_column(String, nullable=False)
+    #: The repository URL from the provenance.
+    repository_url: Mapped[str] = mapped_column(String, nullable=True)
+
+    #: The commit sha from the provenance.
+    commit_sha: Mapped[str] = mapped_column(String, nullable=True)
+
+    #: The provenance payload.
+    provenance_payload: Mapped[InTotoPayload] = mapped_column(ProvenancePayload, nullable=False)
+
+    #: The verified status of the provenance.
+    verified: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
 
     #: A one-to-many relationship with the release artifacts.
     artifact: Mapped[list["ReleaseArtifact"]] = relationship(back_populates="provenance")

src/macaron/provenance/__init__.py

@@ -0,0 +1,4 @@
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""This package contains the provenance tools for software components."""

src/macaron/repo_finder/provenance_extractor.py renamed to src/macaron/provenance/provenance_extractor.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains methods for extracting repository and commit metadata from provenance files."""
@@ -7,16 +7,11 @@
 from abc import ABC, abstractmethod
 
 from packageurl import PackageURL
-from pydriller import Git
 
 from macaron.errors import ProvenanceError
 from macaron.json_tools import JsonType, json_extract
 from macaron.repo_finder import to_domain_from_known_purl_types
-from macaron.repo_finder.commit_finder import (
-    AbstractPurlType,
-    determine_abstract_purl_type,
-    extract_commit_from_version,
-)
+from macaron.repo_finder.commit_finder import AbstractPurlType, determine_abstract_purl_type
 from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, InTotoV1Payload, InTotoV01Payload
 from macaron.slsa_analyzer.provenance.intoto.v01 import InTotoV01Statement
 from macaron.slsa_analyzer.provenance.intoto.v1 import InTotoV1Statement
@@ -278,27 +273,18 @@ def check_if_input_repo_provenance_conflict(
 
 
 def check_if_input_purl_provenance_conflict(
-    git_obj: Git,
     repo_path_input: bool,
-    digest_input: bool,
     provenance_repo_url: str | None,
-    provenance_commit_digest: str | None,
     purl: PackageURL,
 ) -> bool:
     """Test if the input repository type PURL's repo and commit match the contents of the provenance.
 
     Parameters
     ----------
-    git_obj: Git
-        The Git object.
     repo_path_input: bool
         True if there is a repo as input.
-    digest_input: str
-        True if there is a commit as input.
     provenance_repo_url: str | None
         The repo url from provenance.
-    provenance_commit_digest: str | None
-        The commit digest from provenance.
     purl: PackageURL
         The input repository PURL.
 
@@ -321,18 +307,6 @@ def check_if_input_purl_provenance_conflict(
             )
             return True
 
-    # Check the PURL commit against the provenance.
-    if not digest_input and provenance_commit_digest and purl.version:
-        purl_commit = extract_commit_from_version(git_obj, purl.version)
-        if purl_commit and purl_commit != provenance_commit_digest:
-            logger.debug(
-                "The commit digest passed via purl input does not match what exists in the "
-                "provenance. Purl Commit: %s, Provenance Commit: %s.",
-                purl_commit,
-                provenance_commit_digest,
-            )
-            return True
-
     return False