chore: add provenance file handling into run_macaron.sh (#698)

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>

Author: tromai

scripts/dev_scripts/integration_tests.sh

@@ -760,6 +760,29 @@ POLICY_EXPECTED=$WORKSPACE/tests/policy_engine/expected_results/micronaut-core/t
 $RUN_POLICY -f $POLICY_FILE -d "$WORKSPACE/output/macaron.db" || log_fail
 check_or_update_expected_output $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail
 
+echo -e "\n----------------------------------------------------------------------------------"
+echo "behnazh-w/example-maven-app as a local repository"
+echo "Test Witness provenance as an input, Cue expectation validation, Policy CLI and VSA generation."
+echo -e "----------------------------------------------------------------------------------\n"
+RUN_POLICY="macaron verify-policy"
+POLICY_FILE=$WORKSPACE/tests/policy_engine/resources/policies/example-maven-project/policy.dl
+POLICY_RESULT=$WORKSPACE/output/policy_report.json
+POLICY_EXPECTED=$WORKSPACE/tests/policy_engine/expected_results/example-maven-project/example_maven_project_policy_report.json
+VSA_RESULT=$WORKSPACE/output/vsa.intoto.jsonl
+VSA_PAYLOAD_EXPECTED=$WORKSPACE/tests/vsa/integration/local_witness_example-maven-project/vsa_payload.json
+EXPECTATION_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/example-maven-project.cue
+PROVENANCE_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/resources/valid_provenances/example-maven-project.json
+
+# Cloning the repository locally
+git clone https://github.com/behnazh-w/example-maven-app.git $WORKSPACE/output/git_repos/local_repos/example-maven-app || log_fail
+
+$RUN_MACARON analyze -pf $PROVENANCE_FILE -pe $EXPECTATION_FILE -purl pkg:maven/io.github.behnazh-w.demo/example-maven-app@1.0-SNAPSHOT?type=jar --repo-path example-maven-app --skip-deps || log_fail
+
+$RUN_POLICY -f $POLICY_FILE -d "$WORKSPACE/output/macaron.db" || log_fail
+
+check_or_update_expected_output $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail
+check_or_update_expected_output "$COMPARE_VSA" "$VSA_RESULT" "$VSA_PAYLOAD_EXPECTED" || log_fail
+
 # Testing the Repo Finder's remote calls.
 # This requires the 'packageurl' Python module
 echo -e "\n----------------------------------------------------------------------------------"

scripts/dev_scripts/integration_tests_docker.sh

@@ -160,6 +160,28 @@ $RUN_MACARON_SCRIPT verify-policy -f $POLICY_FILE -d "$WORKSPACE/output/macaron.
 python $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail
 python "$COMPARE_VSA" "$VSA_RESULT" "$VSA_PAYLOAD_EXPECTED" || log_fail
 
+echo -e "\n----------------------------------------------------------------------------------"
+echo "behnazh-w/example-maven-app as a local repository"
+echo "Test Witness provenance as an input, Cue expectation validation, Policy CLI and VSA generation."
+echo -e "----------------------------------------------------------------------------------\n"
+POLICY_FILE=$WORKSPACE/tests/policy_engine/resources/policies/example-maven-project/policy.dl
+POLICY_RESULT=$WORKSPACE/output/policy_report.json
+POLICY_EXPECTED=$WORKSPACE/tests/policy_engine/expected_results/example-maven-project/example_maven_project_policy_report.json
+VSA_RESULT=$WORKSPACE/output/vsa.intoto.jsonl
+VSA_PAYLOAD_EXPECTED=$WORKSPACE/tests/vsa/integration/local_witness_example-maven-project/vsa_payload.json
+EXPECTATION_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/example-maven-project.cue
+PROVENANCE_FILE=$WORKSPACE/tests/slsa_analyzer/provenance/resources/valid_provenances/example-maven-project.json
+
+# Cloning the repository locally
+git clone https://github.com/behnazh-w/example-maven-app.git $WORKSPACE/output/git_repos/local_repos/example-maven-app || log_fail
+
+$RUN_MACARON_SCRIPT analyze -pf $PROVENANCE_FILE -pe $EXPECTATION_FILE -purl pkg:maven/io.github.behnazh-w.demo/example-maven-app@1.0-SNAPSHOT?type=jar --repo-path example-maven-app --skip-deps || log_fail
+
+$RUN_MACARON_SCRIPT verify-policy -f $POLICY_FILE -d "$WORKSPACE/output/macaron.db" || log_fail
+
+python $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail
+python "$COMPARE_VSA" "$VSA_RESULT" "$VSA_PAYLOAD_EXPECTED" || log_fail
+
 echo -e "\n----------------------------------------------------------------------------------"
 echo "Test running the analysis without setting the GITHUB_TOKEN environment variables."
 echo -e "----------------------------------------------------------------------------------\n"

scripts/release_scripts/run_macaron.sh

@@ -315,6 +315,10 @@ if [[ $command == "analyze" ]]; then
                 arg_prov_exp="$2"
                 shift
                 ;;
+            -pf|--provenance-file)
+                arg_prov_file="$2"
+                shift
+                ;;
             -c|--config-path)
                 arg_config_path="$2"
                 shift
@@ -440,6 +444,16 @@ if [[ -n "${arg_prov_exp:-}" ]]; then
     fi
 fi
 
+# Mount the provenance file into ${MACARON_WORKSPACE}/prov_files/${pf_name} where pf_name is a file name.
+if [[ -n "${arg_prov_file:-}" ]]; then
+    prov_file_path="${arg_prov_file}"
+    prov_file_name="$(basename "${prov_file_path}")"
+    prov_file_path_in_container=${MACARON_WORKSPACE}/prov_files/${prov_file_name}
+    argv_command+=("--provenance-file" "$prov_file_path_in_container")
+
+    mount_file "-pf/--provenance-file" "$prov_file_path" "$prov_file_path_in_container" "ro,Z"
+fi
+
 # MACARON entrypoint - verify-policy command argvs
 # This is for macaron verify-policy command.
 # Determine the database path to be mounted into ${MACARON_WORKSPACE}/database/macaron.db

tests/policy_engine/expected_results/example-maven-project/example_maven_project_policy_report.json

@@ -0,0 +1,16 @@
+{
+    "component_satisfies_policy": [
+        [
+            "1",
+            "pkg:maven/io.github.behnazh-w.demo/example-maven-app@1.0-SNAPSHOT?type=jar",
+            "gh_witness_provenance_policy"
+        ]
+    ],
+    "passed_policies": [
+        [
+            "gh_witness_provenance_policy"
+        ]
+    ],
+    "component_violates_policy": [],
+    "failed_policies": []
+}

tests/policy_engine/resources/policies/example-maven-project/policy.dl

@@ -0,0 +1,17 @@
+/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
+/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
+
+#include "prelude.dl"
+
+Policy("gh_witness_provenance_policy", component_id, "Policy for github Maven project with witness provenances") :-
+    check_passed(component_id, "mcn_build_service_1"),
+    check_passed(component_id, "mcn_build_script_1"),
+    check_passed(component_id, "mcn_provenance_available_1"),
+    check_passed(component_id, "mcn_provenance_expectation_1").
+
+apply_policy_to("gh_witness_provenance_policy", component_id) :-
+    is_repo(
+      _,  // repo_id
+      "github.com/behnazh-w/example-maven-app",  // http URL to the repo but without the "http://"
+      component_id
+    ).

tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/example-maven-project.cue

@@ -0,0 +1,17 @@
+{
+    target: "pkg:maven/io.github.behnazh-w.demo/example-maven-app",
+    predicate: {
+        attestations: [
+            {
+                type: "https://witness.dev/attestations/git/v0.1",
+                attestation: {
+                    commithash: "34c06e8ae3811885c57f8bd42db61f37ac57eb6c"
+                },
+            },
+            _,
+            _,
+            _,
+            _
+        ]
+    }
+}

tests/slsa_analyzer/provenance/resources/valid_provenances/example-maven-project.json

@@ -0,0 +1,27 @@
+{
+    "_type": "https://in-toto.io/Statement/v1",
+    "subject": [
+        {
+            "uri": "pkg:maven/io.github.behnazh-w.demo/example-maven-app@1.0-SNAPSHOT?type=jar",
+            "digest": {
+                "sha256": "19986144a60f3d16d1e8d96bc1807c42bb7c91068ab3018b85033f62c2845921"
+            }
+        }
+    ],
+    "predicateType": "https://slsa.dev/verification_summary/v1",
+    "predicate": {
+        "verifier": {
+            "id": "https://github.com/oracle/macaron",
+            "version": {
+                "macaron": "0.9.0"
+            }
+        },
+        "timeVerified": "2024-04-19T00:42:58.916316+00:00",
+        "resourceUri": "pkg:maven/io.github.behnazh-w.demo/example-maven-app@1.0-SNAPSHOT",
+        "policy": {
+            "content": "/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */\n/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */\n\n#include \"prelude.dl\"\n\nPolicy(\"gh_witness_provenance_policy\", component_id, \"Policy for github Maven project with witness provenances\") :-\n    check_passed(component_id, \"mcn_build_service_1\"),\n    check_passed(component_id, \"mcn_build_script_1\"),\n    check_passed(component_id, \"mcn_provenance_available_1\"),\n    check_passed(component_id, \"mcn_provenance_expectation_1\").\n\napply_policy_to(\"gh_witness_provenance_policy\", component_id) :-\n    is_repo(\n      _,  // repo_id\n      \"github.com/behnazh-w/example-maven-app\",  // http URL to the repo but without the \"http://\"\n      component_id\n    ).\n"
+        },
+        "verificationResult": "PASSED",
+        "verifiedLevels": []
+    }
+}