refactor: improve extraction of subjects being build artifacts from witness provenances

Signed-off-by: Nathan Nguyen <nathan.nguyen@oracle.com>

Author: nathanwn

src/macaron/slsa_analyzer/checks/provenance_witness_l1_check.py

@@ -14,9 +14,9 @@
 from macaron.slsa_analyzer.checks.check_result import CheckResultData, CheckResultType, Confidence, JustificationType
 from macaron.slsa_analyzer.package_registry import JFrogMavenRegistry
 from macaron.slsa_analyzer.package_registry.jfrog_maven_registry import JFrogMavenAsset
+from macaron.slsa_analyzer.provenance.intoto.v01 import InTotoV01Subject
 from macaron.slsa_analyzer.provenance.witness import (
-    WitnessProvenanceSubject,
-    extract_witness_provenance_subjects,
+    extract_build_artifacts_from_witness_subjects,
     is_witness_provenance_payload,
     load_witness_verifier_config,
 )
@@ -51,15 +51,15 @@ class WitnessProvenanceAvailableFacts(CheckFacts):
 
 def verify_artifact_assets(
     artifact_assets: list[JFrogMavenAsset],
-    subjects: set[WitnessProvenanceSubject],
+    subjects: list[InTotoV01Subject],
 ) -> bool:
     """Verify artifact assets against subjects in the witness provenance payload.
 
     Parameters
     ----------
     artifact_assets : list[JFrogMavenAsset]
         List of artifact assets to verify.
-    subjects : list[WitnessProvenanceSubject]
+    subjects : list[InTotoV01Subject]
         List of subjects extracted from the in the witness provenance.
 
     Returns
@@ -70,12 +70,12 @@ def verify_artifact_assets(
     # A look-up table to verify:
     # 1. if the name of the artifact appears in any subject of the witness provenance, then
     # 2. if the digest of the artifact could be found
-    look_up: dict[str, dict[str, WitnessProvenanceSubject]] = {}
+    look_up: dict[str, dict[str, InTotoV01Subject]] = {}
 
     for subject in subjects:
-        if subject.artifact_name not in look_up:
-            look_up[subject.artifact_name] = {}
-        look_up[subject.artifact_name][subject.sha256_digest] = subject
+        if subject["name"] not in look_up:
+            look_up[subject["name"]] = {}
+        look_up[subject["name"]][subject["digest"]["sha256"]] = subject
 
     for asset in artifact_assets:
         if asset.name not in look_up:
@@ -93,7 +93,7 @@ def verify_artifact_assets(
         logger.info(
             "Successfully verified asset '%s' against the subject '%s' in the provenance.",
             asset.name,
-            subject.subject_name,
+            subject["name"],
         )
 
     return True
@@ -167,7 +167,7 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
                             version=provenance.asset.version,
                             extensions=witness_verifier_config.artifact_extensions,
                         )
-                        subjects = extract_witness_provenance_subjects(provenance.payload)
+                        subjects = extract_build_artifacts_from_witness_subjects(provenance.payload)
 
                         if not verify_artifact_assets(artifact_assets, subjects):
                             return CheckResultData(

src/macaron/slsa_analyzer/provenance/witness/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """Witness provenance (https://github.com/testifysec/witness)."""
@@ -9,6 +9,7 @@
 from macaron.config.defaults import defaults
 from macaron.slsa_analyzer.asset import AssetLocator
 from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, InTotoV01Payload
+from macaron.slsa_analyzer.provenance.intoto.v01 import InTotoV01Subject
 from macaron.slsa_analyzer.provenance.witness.attestor import GitLabWitnessAttestor, RepoAttestor
 
 logger: logging.Logger = logging.getLogger(__name__)
@@ -120,7 +121,7 @@ def extract_repo_url(witness_payload: InTotoPayload) -> str | None:
     return None
 
 
-def extract_witness_provenance_subjects(witness_payload: InTotoPayload) -> set[WitnessProvenanceSubject]:
+def extract_build_artifacts_from_witness_subjects(witness_payload: InTotoPayload) -> list[InTotoV01Subject]:
     """Read the ``"subjects"`` field of the provenance to obtain the hash digests of each subject.
 
     Parameters
@@ -133,28 +134,25 @@ def extract_witness_provenance_subjects(witness_payload: InTotoPayload) -> set[W
 
     Returns
     -------
-    dict[str, str]
+    list[InTotoV01Subject]
         A dictionary in which each key is a subject name and each value is the corresponding SHA256 digest.
     """
-    if isinstance(witness_payload, InTotoV01Payload):
-        subjects = witness_payload.statement["subject"]
-        subject_digests = set()
-
-        for subject in subjects:
-            name = subject["name"]
-            digest = subject["digest"]
-
-            sha256 = digest.get("sha256")
-            if not sha256 or not isinstance(sha256, str):
-                continue
-
-            subject_digests.add(
-                WitnessProvenanceSubject(
-                    subject_name=name,
-                    sha256_digest=sha256,
-                )
-            )
-
-        return subject_digests
-
-    return set()
+    if not isinstance(witness_payload, InTotoV01Payload):
+        return []
+
+    subjects = witness_payload.statement["subject"]
+    artifact_subjects = []
+    for subject in subjects:
+        # Filter all subjects attested by the product attestor, which records all changed and
+        # created files in the build process.
+        # Documentation: https://github.com/in-toto/witness/blob/main/docs/attestors/product.md
+        if not subject["name"].startswith("https://witness.dev/attestations/product/v0.1/file:"):
+            continue
+
+        digest = subject["digest"]
+        sha256 = digest.get("sha256")
+        if not sha256 or not isinstance(sha256, str):
+            continue
+        artifact_subjects.append(subject)
+
+    return artifact_subjects

tests/slsa_analyzer/provenance/test_witness_provenance.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """Tests for witness provenance."""
@@ -12,9 +12,8 @@
 from macaron.config.defaults import load_defaults
 from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload, v01
 from macaron.slsa_analyzer.provenance.witness import (
-    WitnessProvenanceSubject,
     WitnessVerifierConfig,
-    extract_witness_provenance_subjects,
+    extract_build_artifacts_from_witness_subjects,
     is_witness_provenance_payload,
     load_witness_verifier_config,
 )
@@ -124,18 +123,20 @@ def test_is_witness_provenance_payload(
 }
                 """
             ),
-            {
-                WitnessProvenanceSubject(
-                    subject_name=(
-                        "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9.jar"
-                    ),
-                    sha256_digest="6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
-                ),
-                WitnessProvenanceSubject(
-                    subject_name="https://witness.dev/attestations/product/v0.1/file:foo/bar/baz.txt",
-                    sha256_digest="cbc8f554dbfa17e5c5873c425a09cb1488c2f784ac52340747a92b7ec0aaefba",
-                ),
-            },
+            [
+                {
+                    "name": "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9.jar",
+                    "digest": {
+                        "sha256": "6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
+                    },
+                },
+                {
+                    "name": "https://witness.dev/attestations/product/v0.1/file:foo/bar/baz.txt",
+                    "digest": {
+                        "sha256": "cbc8f554dbfa17e5c5873c425a09cb1488c2f784ac52340747a92b7ec0aaefba",
+                    },
+                },
+            ],
             id="Valid payload",
         ),
         pytest.param(
@@ -159,22 +160,53 @@ def test_is_witness_provenance_payload(
 }
             """
             ),
-            {
-                WitnessProvenanceSubject(
-                    subject_name=(
-                        "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9.jar"
-                    ),
-                    sha256_digest="6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
-                ),
-            },
+            [
+                {
+                    "name": "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9.jar",
+                    "digest": {
+                        "sha256": "6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
+                    },
+                }
+            ],
             id="Missing sha256",
         ),
+        pytest.param(
+            json.loads(
+                """
+{
+    "subject": [
+        {
+            "name": "https://witness.dev/attestations/git/v0.1/authoremail:foo.bar@oracle.com",
+            "digest": {
+                "sha256": "923e32b55b983525acfd0df3ad18bbb016623bdf33ba7706c7ab8318ff1284a1"
+            }
+        },
+        {
+            "name": "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9.jar",
+            "digest": {
+                "sha256": "6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e"
+            }
+        }
+    ]
+}
+"""
+            ),
+            [
+                {
+                    "name": "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9.jar",
+                    "digest": {
+                        "sha256": "6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
+                    },
+                }
+            ],
+            id="Not a subject attested by the product attestor",
+        ),
     ],
 )
-def test_extract_witness_provenances_subjects(
+def test_extract_build_artifacts_from_witness_subjects(
     payload_json: v01.InTotoV01Statement,
-    expected_subjects: set[WitnessProvenanceSubject],
+    expected_subjects: list[v01.InTotoV01Subject],
 ) -> None:
     """Test the ``extract_witness_provenance_subjects`` function."""
     payload = InTotoV01Payload(statement=payload_json)
-    assert extract_witness_provenance_subjects(payload) == expected_subjects
+    assert extract_build_artifacts_from_witness_subjects(payload) == expected_subjects