Host policies for VSAs of SLSA Build Levels

[behnazh-w]

Currently, we store the content of the policy in a VSA and do not report the verifiedLevels as required by the VSA specification. See this example VSA.

Macaron policies do not always map clearly to SLSA Build Levels. But for cases where such a mapping is possible, we can host the policies in the Macaron's GitHub repository and use the link in the VSA's predicate.policy.uri. We can then report the corresponding SLSA Build Level in predicate.verifiedLevels.

At the moment, Macaron's policies require a target software component to be specified in the policy itself. To host policies described above, we can include these hosted policies as libraries and require the user to add the additional apply_policy_to rule e.g.,

apply_policy_to("SLSA_BUILD_LEVEL_1", component_id) :-
    is_component(component_id, purl),
    match("pkg:pypi/django@.*", purl).

Alternatively, we can add a feature that takes the target software component as input of the verify-policy command and use a templating system to generate the final policy for the policy engine (Souffle).

Related issues:

• Create template/library policies to improve usability #403
• Check policy in VSA against user policy #787