├── .dockerignore
├── .flake8
├── .gitattributes
├── .github
├── ISSUE_TEMPLATE
│ ├── bug_report.md
│ ├── config.yaml
│ └── feature_request.md
├── codeql
│ └── codeql-config.yaml
├── dependabot.yaml
├── pull_request_template.md
└── workflows
│ ├── _build.yaml
│ ├── _build_docker.yaml
│ ├── _deploy-github-pages.yaml
│ ├── _generate-rebase.yaml
│ ├── _release-notifications.yaml
│ ├── build_base_image.yaml
│ ├── build_semgrep_wheel.yaml
│ ├── codeql-analysis.yaml
│ ├── dependabot-automerge.yaml
│ ├── pr-change-set.yaml
│ ├── pr-conventional-commits.yaml
│ ├── release.yaml
│ └── scorecards-analysis.yaml
├── .gitignore
├── .pre-commit-config.yaml
├── .semgrepignore
├── CHANGELOG.md
├── CODEOWNERS
├── CONTRIBUTING.md
├── LICENSE.txt
├── Makefile
├── README.md
├── SECURITY.md
├── THIRD_PARTY_LICENSES.txt
├── docker
├── Dockerfile.base
├── Dockerfile.final
└── user.sh
├── docs
├── Makefile
├── README.md
├── make.bat
└── source
│ ├── _static
│ ├── examples
│ │ ├── apache
│ │ │ └── maven
│ │ │ │ └── analyze_with_sbom
│ │ │ │ └── sbom.json
│ │ ├── micronaut-projects
│ │ │ └── micronaut-core
│ │ │ │ ├── analyze_with_repo_path
│ │ │ │ ├── dependencies.json
│ │ │ │ ├── junit5.html
│ │ │ │ ├── junit5.json
│ │ │ │ ├── micronaut-core.html
│ │ │ │ ├── micronaut-core.json
│ │ │ │ ├── micronaut-validation.html
│ │ │ │ ├── micronaut-validation.json
│ │ │ │ ├── reactive-streams.html
│ │ │ │ ├── reactive-streams.json
│ │ │ │ ├── reactor-core.html
│ │ │ │ └── reactor-core.json
│ │ │ │ ├── analyze_with_sbom
│ │ │ │ └── dependencies.json
│ │ │ │ └── policies
│ │ │ │ └── micronaut-core.cue
│ │ └── oracle-quickstart
│ │ │ └── oci-micronaut
│ │ │ └── policies
│ │ │ ├── oci-micronaut-purl.dl
│ │ │ └── oci-micronaut-repo.dl
│ ├── images
│ │ ├── exclude_provenance_withness_level_one.png
│ │ ├── macaron_infrastructure.png
│ │ ├── tutorial_arrow_0.15.0_report.png
│ │ ├── tutorial_arrow_0.15.0_report_top.png
│ │ ├── tutorial_arrow_1.3.0_report.png
│ │ ├── tutorial_arrow_1.3.0_report_top.png
│ │ ├── tutorial_bh_jackson_databind_infer_pipeline.png
│ │ ├── tutorial_django_5.0.6_detect_malicious_metadata_check.png
│ │ ├── tutorial_example_maven_app_report.png
│ │ ├── tutorial_example_maven_app_report_dependencies.png
│ │ ├── tutorial_log4j_find_pipeline.png
│ │ └── tutorial_semver_7.6.2_report.png
│ ├── schemastore
│ │ └── find_source_report_schema.json
│ └── style.css
│ ├── _templates
│ └── layout.html
│ ├── assets
│ ├── er-diagram.svg
│ └── macaron.svg
│ ├── conf.py
│ ├── glossary.rst
│ ├── index.rst
│ └── pages
│ ├── checks
│ └── slsa_builds.rst
│ ├── cli_usage
│ ├── command_analyze.rst
│ ├── command_dump_defaults.rst
│ ├── command_find-source.rst
│ ├── command_verify-policy.rst
│ └── index.rst
│ ├── developers_guide
│ ├── apidoc
│ │ ├── index.rst
│ │ ├── macaron.code_analyzer.rst
│ │ ├── macaron.config.rst
│ │ ├── macaron.database.rst
│ │ ├── macaron.dependency_analyzer.rst
│ │ ├── macaron.malware_analyzer.pypi_heuristics.metadata.rst
│ │ ├── macaron.malware_analyzer.pypi_heuristics.rst
│ │ ├── macaron.malware_analyzer.pypi_heuristics.sourcecode.rst
│ │ ├── macaron.malware_analyzer.rst
│ │ ├── macaron.output_reporter.rst
│ │ ├── macaron.parsers.rst
│ │ ├── macaron.parsers.yaml.rst
│ │ ├── macaron.policy_engine.rst
│ │ ├── macaron.provenance.rst
│ │ ├── macaron.repo_finder.rst
│ │ ├── macaron.repo_verifier.rst
│ │ ├── macaron.rst
│ │ ├── macaron.slsa_analyzer.asset.rst
│ │ ├── macaron.slsa_analyzer.build_tool.rst
│ │ ├── macaron.slsa_analyzer.checks.rst
│ │ ├── macaron.slsa_analyzer.ci_service.github_actions.rst
│ │ ├── macaron.slsa_analyzer.ci_service.rst
│ │ ├── macaron.slsa_analyzer.git_service.rst
│ │ ├── macaron.slsa_analyzer.package_registry.rst
│ │ ├── macaron.slsa_analyzer.provenance.expectations.cue.rst
│ │ ├── macaron.slsa_analyzer.provenance.expectations.rst
│ │ ├── macaron.slsa_analyzer.provenance.intoto.rst
│ │ ├── macaron.slsa_analyzer.provenance.intoto.v01.rst
│ │ ├── macaron.slsa_analyzer.provenance.intoto.v1.rst
│ │ ├── macaron.slsa_analyzer.provenance.rst
│ │ ├── macaron.slsa_analyzer.provenance.slsa.rst
│ │ ├── macaron.slsa_analyzer.provenance.witness.rst
│ │ ├── macaron.slsa_analyzer.rst
│ │ ├── macaron.slsa_analyzer.specs.rst
│ │ └── macaron.vsa.rst
│ ├── index.rst
│ └── style_guide.rst
│ ├── installation.rst
│ ├── output_files.rst
│ ├── supported_technologies
│ ├── index.rst
│ ├── jfrog.rst
│ ├── maven_central.rst
│ ├── npm_registry.rst
│ ├── pypi_registry.rst
│ └── witness.rst
│ ├── tutorials
│ ├── commit_finder.rst
│ ├── detect_malicious_java_dep.rst
│ ├── detect_malicious_package.rst
│ ├── detect_vulnerable_github_actions.rst
│ ├── exclude_include_checks.rst
│ ├── generate_verification_summary_attestation.rst
│ ├── index.rst
│ ├── npm_provenance.rst
│ ├── source_finder.rst
│ └── use_verification_summary_attestation.rst
│ ├── using.rst
│ └── vsa.rst
├── go.mod
├── go.sum
├── golang
├── README.md
├── cmd
│ ├── bashparser
│ │ ├── README.md
│ │ └── bashparser.go
│ └── cuevalidator
│ │ ├── README.md
│ │ └── cuevalidator.go
└── internal
│ ├── bashparser
│ ├── bashparser.go
│ ├── bashparser_test.go
│ └── resources
│ │ └── valid.sh
│ ├── cuevalidator
│ ├── cuevalidator.go
│ ├── cuevalidator_test.go
│ └── resources
│ │ ├── invalid_policy.cue
│ │ ├── invalid_provenance.json
│ │ ├── valid_policy.cue
│ │ ├── valid_provenance.json
│ │ └── valid_provenance2.json
│ └── filewriter
│ ├── filewriter.go
│ ├── filewriter_test.go
│ └── mock_dir
│ └── README.md
├── pyproject.toml
├── scripts
├── dev_scripts
│ ├── build_docker.sh
│ ├── copyright-checker.sh
│ └── samples_permissions_checker.sh
└── release_scripts
│ ├── check_vsa.sh
│ └── run_macaron.sh
├── src
└── macaron
│ ├── __init__.py
│ ├── __main__.py
│ ├── artifact
│ ├── local_artifact.py
│ └── maven.py
│ ├── code_analyzer
│ ├── __init__.py
│ └── call_graph.py
│ ├── config
│ ├── __init__.py
│ ├── defaults.ini
│ ├── defaults.py
│ ├── global_config.py
│ └── target_config.py
│ ├── database
│ ├── __init__.py
│ ├── database_manager.py
│ ├── db_custom_types.py
│ ├── table_definitions.py
│ └── views.py
│ ├── dependency_analyzer
│ ├── __init__.py
│ ├── cyclonedx.py
│ ├── cyclonedx_gradle.py
│ ├── cyclonedx_mvn.py
│ └── cyclonedx_python.py
│ ├── environment_variables.py
│ ├── errors.py
│ ├── json_tools.py
│ ├── malware_analyzer
│ ├── README.md
│ ├── __init__.py
│ ├── datetime_parser.py
│ └── pypi_heuristics
│ │ ├── __init__.py
│ │ ├── base_analyzer.py
│ │ ├── heuristics.py
│ │ ├── metadata
│ │ ├── __init__.py
│ │ ├── anomalous_version.py
│ │ ├── closer_release_join_date.py
│ │ ├── empty_project_link.py
│ │ ├── high_release_frequency.py
│ │ ├── one_release.py
│ │ ├── source_code_repo.py
│ │ ├── typosquatting_presence.py
│ │ ├── unchanged_release.py
│ │ └── wheel_absence.py
│ │ └── sourcecode
│ │ ├── __init__.py
│ │ ├── pypi_sourcecode_analyzer.py
│ │ └── suspicious_setup.py
│ ├── output_reporter
│ ├── __init__.py
│ ├── jinja2_extensions.py
│ ├── reporter.py
│ ├── results.py
│ ├── scm.py
│ └── templates
│ │ ├── base_template.html
│ │ └── macaron.html
│ ├── parsers
│ ├── __init__.py
│ ├── actionparser.py
│ ├── bashparser.py
│ ├── github_workflow_model.py
│ ├── pomparser.py
│ └── yaml
│ │ ├── __init__.py
│ │ └── loader.py
│ ├── policy_engine
│ ├── __init__.py
│ ├── examples
│ │ ├── aggregate.dl
│ │ ├── clone.dl
│ │ ├── non-regression.dl
│ │ ├── simple_example.dl
│ │ └── transitive.dl
│ ├── policies.md
│ ├── policy_engine.py
│ ├── prelude
│ │ ├── aggregate_rules.dl
│ │ ├── helper_rules.dl
│ │ ├── policy.dl
│ │ └── prelude.dl
│ ├── readme.md
│ ├── souffle.py
│ └── souffle_code_generator.py
│ ├── provenance
│ ├── __init__.py
│ ├── provenance_extractor.py
│ ├── provenance_finder.py
│ └── provenance_verifier.py
│ ├── py.typed
│ ├── repo_finder
│ ├── __init__.py
│ ├── commit_finder.py
│ ├── repo_finder.py
│ ├── repo_finder_base.py
│ ├── repo_finder_deps_dev.py
│ ├── repo_finder_enums.py
│ ├── repo_finder_java.py
│ ├── repo_finder_pypi.py
│ ├── repo_utils.py
│ └── repo_validator.py
│ ├── repo_verifier
│ ├── __init__.py
│ ├── repo_verifier.py
│ ├── repo_verifier_base.py
│ ├── repo_verifier_gradle.py
│ └── repo_verifier_maven.py
│ ├── resources
│ ├── .gitattributes
│ ├── .gitignore
│ ├── init.gradle
│ ├── policies
│ │ └── gdk
│ │ │ ├── expectation.cue.template
│ │ │ └── policy.dl.template
│ ├── popular_packages.txt
│ ├── pypi_malware_rules
│ │ ├── exfiltration.yaml
│ │ └── obfuscation.yaml
│ ├── schemastore
│ │ └── find_source_report_schema.json
│ ├── settings.gradle
│ └── settings.xml
│ ├── slsa_analyzer
│ ├── __init__.py
│ ├── analyze_context.py
│ ├── analyzer.py
│ ├── asset
│ │ └── __init__.py
│ ├── build_tool
│ │ ├── __init__.py
│ │ ├── base_build_tool.py
│ │ ├── docker.py
│ │ ├── go.py
│ │ ├── gradle.py
│ │ ├── language.py
│ │ ├── maven.py
│ │ ├── npm.py
│ │ ├── pip.py
│ │ ├── poetry.py
│ │ └── yarn.py
│ ├── checks
│ │ ├── README.md
│ │ ├── __init__.py
│ │ ├── base_check.py
│ │ ├── build_as_code_check.py
│ │ ├── build_script_check.py
│ │ ├── build_service_check.py
│ │ ├── build_tool_check.py
│ │ ├── check_result.py
│ │ ├── detect_malicious_metadata_check.py
│ │ ├── github_actions_vulnerability_check.py
│ │ ├── infer_artifact_pipeline_check.py
│ │ ├── provenance_available_check.py
│ │ ├── provenance_commit_check.py
│ │ ├── provenance_l3_content_check.py
│ │ ├── provenance_repo_check.py
│ │ ├── provenance_verified_check.py
│ │ ├── provenance_witness_l1_check.py
│ │ ├── scm_authenticity_check.py
│ │ ├── trusted_builder_l3_check.py
│ │ └── vcs_check.py
│ ├── ci_service
│ │ ├── __init__.py
│ │ ├── base_ci_service.py
│ │ ├── circleci.py
│ │ ├── github_actions
│ │ │ ├── __init__.py
│ │ │ ├── analyzer.py
│ │ │ └── github_actions_ci.py
│ │ ├── gitlab_ci.py
│ │ ├── jenkins.py
│ │ └── travis.py
│ ├── database_store.py
│ ├── git_service
│ │ ├── __init__.py
│ │ ├── api_client.py
│ │ ├── base_git_service.py
│ │ ├── bitbucket.py
│ │ ├── github.py
│ │ ├── gitlab.py
│ │ └── local_repo_git_service.py
│ ├── git_url.py
│ ├── levels.py
│ ├── package_registry
│ │ ├── __init__.py
│ │ ├── deps_dev.py
│ │ ├── jfrog_maven_registry.py
│ │ ├── maven_central_registry.py
│ │ ├── npm_registry.py
│ │ ├── osv_dev.py
│ │ ├── package_registry.py
│ │ └── pypi_registry.py
│ ├── provenance
│ │ ├── __init__.py
│ │ ├── expectations
│ │ │ ├── __init__.py
│ │ │ ├── cue
│ │ │ │ ├── __init__.py
│ │ │ │ └── cue_validator.py
│ │ │ ├── expectation.py
│ │ │ └── expectation_registry.py
│ │ ├── intoto
│ │ │ ├── __init__.py
│ │ │ ├── errors.py
│ │ │ ├── v01
│ │ │ │ └── __init__.py
│ │ │ └── v1
│ │ │ │ └── __init__.py
│ │ ├── loader.py
│ │ ├── provenance.py
│ │ ├── slsa
│ │ │ └── __init__.py
│ │ └── witness
│ │ │ ├── __init__.py
│ │ │ └── attestor.py
│ ├── registry.py
│ ├── slsa_req.py
│ └── specs
│ │ ├── __init__.py
│ │ ├── build_spec.py
│ │ ├── ci_spec.py
│ │ ├── inferred_provenance.py
│ │ ├── package_registry_spec.py
│ │ └── pypi_certificate_predicate.py
│ ├── util.py
│ └── vsa
│ ├── __init__.py
│ └── vsa.py
└── tests
├── __init__.py
├── analyze_json_output
├── __init__.py
└── compare_analyze_json_output.py
├── artifact
├── __init__.py
├── test_local_artifact.py
└── test_maven.py
├── config
├── __init__.py
├── resources
│ └── defaults.ini
└── test_defaults.py
├── conftest.py
├── database
├── __init__.py
└── test_database_manager.py
├── dependency_analyzer
├── __init__.py
├── compare_dependencies.py
├── cyclonedx
│ ├── __init__.py
│ ├── __snapshots__
│ │ └── test_cyclonedx.ambr
│ ├── defaults.ini
│ ├── resources
│ │ ├── bom_aws_child_1.json
│ │ ├── bom_aws_child_2.json
│ │ ├── bom_aws_parent.json
│ │ ├── bom_multi_versions.json
│ │ ├── bom_no_group.json
│ │ ├── bom_no_version.json
│ │ ├── bom_requests.json
│ │ ├── invalid_bom.json
│ │ ├── invalid_json.json
│ │ ├── sbom_name_tests
│ │ │ ├── multiple_named_sboms
│ │ │ │ └── target
│ │ │ │ │ ├── custom_bom.json
│ │ │ │ │ └── custom_bom_2.json
│ │ │ ├── single_named_sbom
│ │ │ │ └── target
│ │ │ │ │ └── custom_bom.json
│ │ │ ├── single_named_sbom_with_children
│ │ │ │ └── target
│ │ │ │ │ ├── custom_bom.json
│ │ │ │ │ └── target
│ │ │ │ │ └── custom_bom.json
│ │ │ └── single_named_sbom_with_multiple_children
│ │ │ │ └── target
│ │ │ │ ├── custom_bom.json
│ │ │ │ └── target
│ │ │ │ ├── custom_bom.json
│ │ │ │ └── custom_bom_2.json
│ │ └── valid_bom.json
│ └── test_cyclonedx.py
└── test_dependency_analyzer.py
├── find_source
└── compare_source_reports.py
├── integration
├── README.md
├── cases
│ ├── ajax-requester_pypi_malware_analyzer
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── all_checks_excluded
│ │ ├── config.ini
│ │ └── test.yaml
│ ├── apache_maven_analyze_dependencies_with_no_repo_and_no_sbom
│ │ └── test.yaml
│ ├── apache_maven_analyzing_a_clone_from_another_local_repo
│ │ └── test.yaml
│ ├── apache_maven_cyclonedx_sbom_tutorial
│ │ ├── dependencies.json
│ │ ├── sbom.json
│ │ └── test.yaml
│ ├── apache_maven_local_path_with_branch_name_digest_deps_cyclonedx_maven
│ │ ├── config.ini
│ │ ├── dependencies.json
│ │ ├── maven.dl
│ │ └── test.yaml
│ ├── apache_maven_local_paths_without_dep_resolution
│ │ ├── guava.dl
│ │ ├── maven.dl
│ │ ├── mockito.dl
│ │ └── test.yaml
│ ├── apache_maven_local_repo
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── apache_maven_purl_repo_path
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── apache_maven_sbom
│ │ ├── config.ini
│ │ ├── dependencies.json
│ │ ├── sbom.json
│ │ └── test.yaml
│ ├── apache_maven_sbom_no_repo_tutorial
│ │ ├── dependencies.json
│ │ ├── sbom.json
│ │ └── test.yaml
│ ├── apache_maven_sbom_with_no_deps_resolution
│ │ ├── sbom.json
│ │ └── test.yaml
│ ├── apache_maven_using_default_template_file_as_input_template
│ │ ├── macaron.html
│ │ ├── maven.dl
│ │ └── test.yaml
│ ├── apache_maven_yaml_input_no_deps_and_skip_deps
│ │ ├── dependencies.json
│ │ └── test.yaml
│ ├── apache_maven_yaml_input_skip_deps
│ │ ├── guava.dl
│ │ ├── maven.dl
│ │ ├── mockito.dl
│ │ └── test.yaml
│ ├── behnazh-w_example-maven-app-tutorial
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── behnazh-w_example-maven-app
│ │ ├── github_provenance.jsonl
│ │ ├── github_provenance_expectation.cue
│ │ ├── policy.dl
│ │ ├── policy_report.json
│ │ ├── test.yaml
│ │ ├── vsa_payload.json
│ │ ├── witness_provenance.jsonl
│ │ └── witness_provenance_expectation.cue
│ ├── check_vsa_sh
│ │ ├── resources
│ │ │ └── vsa-micronaut-core-4.5.3.intoto.jsonl
│ │ ├── setup.sh
│ │ └── test.yaml
│ ├── check_vsa_sh_fail
│ │ ├── resources
│ │ │ └── vsa-micronaut-core-4.5.3-invalid.intoto.jsonl
│ │ ├── setup.sh
│ │ └── test.yaml
│ ├── commit_finder_tag_matching_functionality
│ │ ├── commit_finder.py
│ │ ├── resources
│ │ │ └── tags.json
│ │ └── test.yaml
│ ├── deps_depth_invalid_value
│ │ └── test.yaml
│ ├── django_invalid_path_to_virtual_env
│ │ └── test.yaml
│ ├── django_virtual_path_and_sbom_with_no_deps_resolution
│ │ └── test.yaml
│ ├── django_with_dep_resolution_virtual_env_as_input
│ │ ├── check_sourcecode_patterns.sh
│ │ ├── policy-all-pypi.dl
│ │ ├── policy-recursive-deps-confidence.dl
│ │ ├── policy-recursive-deps.dl
│ │ ├── policy-sourcecode.dl
│ │ ├── policy.dl
│ │ ├── policy_report.json
│ │ └── test.yaml
│ ├── docker_local_maven_repo_input_errors
│ │ └── test.yaml
│ ├── example_maven_app_automatic_dep_resolution_tutorial
│ │ ├── dependencies.json
│ │ └── test.yaml
│ ├── facebook_yoga_yarn_classic
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── find_source_avaje
│ │ ├── avaje-prisms.source.json
│ │ ├── config.ini
│ │ └── test.yaml
│ ├── find_source_fail
│ │ └── test.yaml
│ ├── github_maven_attestation
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── github_maven_attestation_local
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── github_pypi_attestation
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── gitlab_tinyMediaManager
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── gitlab_tinyMediaManager_purl
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── google_guava
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── google_guava_latest
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── invalid_branch_or_commit_yaml_input
│ │ ├── maven_invalid_branch.yaml
│ │ ├── maven_invalid_commit.yaml
│ │ └── test.yaml
│ ├── invalid_provenance_file
│ │ ├── invalid_provenance.json
│ │ └── test.yaml
│ ├── invalid_purl
│ │ └── test.yaml
│ ├── jackson_databind_deps_resolution_with_purl_cyclonedx_maven_plugin
│ │ ├── dependencies.json
│ │ └── test.yaml
│ ├── jackson_databind_with_purl_and_no_deps
│ │ ├── jackson-databind.dl
│ │ └── test.yaml
│ ├── jenkinsci_plotplugin
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── latest_repo_comparison
│ │ ├── check_output.sh
│ │ └── test.yaml
│ ├── log4j_release_pipeline_deleted_run
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── micronaut-projects_micronaut-core
│ │ ├── check_results_policy.dl
│ │ ├── config.ini
│ │ ├── deploy_info_policy.dl
│ │ ├── policy_report.json
│ │ └── test.yaml
│ ├── micronaut-projects_micronaut-test
│ │ ├── micronaut-test.dl
│ │ └── test.yaml
│ ├── micronaut_test_deps_resolution_with_config_cyclonedx_gradle_plugin
│ │ ├── config.yaml
│ │ ├── dependencies.json
│ │ └── test.yaml
│ ├── missing_template_file
│ │ └── test.yaml
│ ├── no_branch_or_commit
│ │ └── test.yaml
│ ├── no_github_token
│ │ └── test.yaml
│ ├── onu-ui_onu-ui_pnpm
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── oracle-macaron
│ │ ├── check_results_policy.dl
│ │ └── test.yaml
│ ├── org_apache_dubbo_dubbo-rpc-memcached
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── org_apache_logging_log4j
│ │ ├── policy_purl.dl
│ │ ├── policy_repo_url.dl
│ │ └── test.yaml
│ ├── ossf_scorecard
│ │ ├── config.ini
│ │ ├── expectation.cue
│ │ ├── policy.dl
│ │ ├── policy_report.json
│ │ ├── test.yaml
│ │ ├── vsa_payload.json
│ │ └── vsa_policy.dl
│ ├── provenance_available
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── purl_of_nonexistent_artifact
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── pypi_attestation_discovery
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── repo_finder_pypi
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── repo_finder_pypi_find_source
│ │ ├── test.yaml
│ │ └── torch.source.json
│ ├── repo_finder_remote_calls
│ │ ├── repo_finder.py
│ │ └── test.yaml
│ ├── run_macaron_sh_early_exit
│ │ └── test.yaml
│ ├── run_macaron_sh_script_unit_test
│ │ ├── setup.sh
│ │ ├── test.yaml
│ │ └── test_run_macaron_sh.py
│ ├── run_macaron_sh_with_invalid_docker_pull_env
│ │ └── test.yaml
│ ├── scm_authenticity
│ │ ├── config.ini
│ │ ├── policy_fail_1.dl
│ │ ├── policy_pass_1.dl
│ │ ├── policy_pass_2.dl
│ │ └── test.yaml
│ ├── semver
│ │ ├── config.ini
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── sigstore_mock
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── sigstore_sget
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── slsa-framework_slsa-verifier
│ │ ├── expectation.cue
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── slsa-framework_slsa-verifier_explicit_provenance_provided
│ │ ├── expectation.cue
│ │ ├── policy.dl
│ │ ├── slsa_verifier.jsonl
│ │ ├── test.yaml
│ │ └── url_link_config.ini
│ ├── snakeyaml_unsupported_git_service
│ │ ├── config.ini
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── tautoak4-hello-world
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── test_analyzing_an_invalid_local_repo_path
│ │ └── test.yaml
│ ├── test_not_pulling_from_remote_for_a_local_repo
│ │ ├── setup.sh
│ │ ├── test.sh
│ │ └── test.yaml
│ ├── test_using_a_repo_path_outside_of_local_repos_dir
│ │ └── test.yaml
│ ├── test_using_invalid_local_repos_dir
│ │ └── test.yaml
│ ├── test_using_local_repo_with_no_commit
│ │ ├── setup.sh
│ │ └── test.yaml
│ ├── timyarkov_docker_test
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── timyarkov_multibuild_test_gradle
│ │ ├── dependencies.json
│ │ └── test.yaml
│ ├── timyarkov_multibuild_test_maven
│ │ ├── dependencies.json
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── tutorial_npm_verify_provenance_semver
│ │ ├── policy_7_6_2.dl
│ │ ├── policy_7_6_x.dl
│ │ ├── policy_7_plus.dl
│ │ └── test.yaml
│ ├── tutorial_source_finder
│ │ ├── check_output.sh
│ │ └── test.yaml
│ ├── type-extension
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── uiv-lib_uiv
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── ultralytics
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── ultralytics_8.3.46
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── update_local_repositories
│ │ ├── modify_clone.sh
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── urllib3_expectation_dir
│ │ ├── expectation
│ │ │ └── expectation.cue
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── urllib3_expectation_file
│ │ ├── expectation.cue
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── urllib3_invalid_expectation
│ │ ├── invalid_expectation.cue
│ │ ├── policy.dl
│ │ └── test.yaml
│ ├── urllib3_no_tag
│ │ ├── policy.dl
│ │ └── test.yaml
│ └── wojtekmaj_reactpdf_yarn_modern
│ │ ├── policy.dl
│ │ └── test.yaml
└── run.py
├── macaron_testcase.py
├── malware_analyzer
└── pypi
│ ├── conftest.py
│ ├── resources
│ ├── custom_sample.yaml
│ └── sourcecode_samples
│ │ ├── exfiltration
│ │ ├── expected_results.json
│ │ └── remote_exfiltration.py
│ │ └── obfuscation
│ │ ├── decode_and_execute.py
│ │ ├── expected_results.json
│ │ ├── inline_imports.py
│ │ └── obfuscation_tools.py
│ ├── test_anomalous_version.py
│ ├── test_closer_release_join_date.py
│ ├── test_empty_project_link_analyzer.py
│ ├── test_high_release_frequency.py
│ ├── test_one_release_analyzer.py
│ ├── test_pypi_sourcecode_analyzer.py
│ ├── test_source_code_repo.py
│ ├── test_suspicious_setup.py
│ ├── test_typosquatting_presence.py
│ ├── test_unchanged_release.py
│ └── test_wheel_absence.py
├── output_reporter
├── __init__.py
├── template.html
├── test_jinja_extensions.py
└── test_reporter.py
├── parsers
├── __init__.py
├── actionparser
│ ├── __init__.py
│ ├── __snapshots__
│ │ └── test_actionparser.ambr
│ ├── resources
│ │ └── workflow_files
│ │ │ ├── codeql-analysis.yml
│ │ │ ├── invalid.yaml
│ │ │ ├── maven.yml
│ │ │ └── release.yaml
│ └── test_actionparser.py
├── bashparser
│ ├── __init__.py
│ ├── resources
│ │ ├── bash_files
│ │ │ ├── invalid.sh
│ │ │ ├── path_traversal.sh
│ │ │ ├── recursive.sh
│ │ │ ├── valid.sh
│ │ │ └── valid_github_action_bash.sh
│ │ └── expected_results
│ │ │ ├── valid.json
│ │ │ └── valid_github_action_bash.json
│ └── test_bashparser.py
└── yaml
│ ├── __init__.py
│ ├── resources
│ ├── invalid.yaml
│ ├── not_valid_against_schema.yaml
│ ├── schema.yaml
│ └── valid_against_schema.yaml
│ └── test_yaml_loader.py
├── policy_engine
├── __init__.py
├── compare_policy_reports.py
├── expected_results
│ └── policy_report.json
├── resources
│ ├── facts
│ │ ├── edge.facts
│ │ ├── macaron.db.gz
│ │ └── test.dl
│ └── policies
│ │ ├── urllib3
│ │ └── urllib3.dl
│ │ └── valid
│ │ ├── simple_example.dl
│ │ └── testpolicy.dl
├── test_policy.py
└── test_souffle.py
├── provenance
├── __init__.py
├── test_provenance_extractor.py
└── test_provenance_finder.py
├── repo_finder
├── __init__.py
├── test_commit_finder.py
├── test_repo_finder.py
├── test_repo_finder_deps_dev.py
└── test_report_schema.py
├── schema_validation
├── __init__.py
├── json_schema_validate.py
└── report_schema.json
├── slsa_analyzer
├── __init__.py
├── build_tool
│ ├── __init__.py
│ ├── __snapshots__
│ │ ├── test_docker.ambr
│ │ ├── test_go.ambr
│ │ ├── test_gradle.ambr
│ │ ├── test_maven.ambr
│ │ ├── test_npm.ambr
│ │ ├── test_poetry.ambr
│ │ └── test_yarn.ambr
│ ├── mock_repos
│ │ ├── docker_repos
│ │ │ ├── nested_dockerfile
│ │ │ │ └── project
│ │ │ │ │ └── Dockerfile
│ │ │ ├── no_docker
│ │ │ │ └── dummy_file.txt
│ │ │ ├── root_dockerfile
│ │ │ │ └── Dockerfile
│ │ │ ├── root_dockerfile_wildcard
│ │ │ │ └── Dockerfile.final
│ │ │ └── root_wildcard_dockerfile
│ │ │ │ └── final.Dockerfile
│ │ ├── go_repos
│ │ │ └── no_go_mod
│ │ │ │ └── dummy_file.txt
│ │ ├── gradle_repos
│ │ │ ├── groovy_gradle
│ │ │ │ ├── build.gradle
│ │ │ │ ├── project1
│ │ │ │ │ └── build.gradle
│ │ │ │ ├── project2
│ │ │ │ │ └── build.gradle
│ │ │ │ └── settings.gradle
│ │ │ └── kotlin_gradle
│ │ │ │ ├── build.gradle.kts
│ │ │ │ ├── project1
│ │ │ │ └── build.gradle.kts
│ │ │ │ ├── project2
│ │ │ │ └── build.gradle.kts
│ │ │ │ └── settings.gradle.kts
│ │ ├── maven_repos
│ │ │ ├── has_parent_pom
│ │ │ │ ├── pom.xml
│ │ │ │ ├── sub_module_1
│ │ │ │ │ └── pom.xml
│ │ │ │ └── sub_module_2
│ │ │ │ │ └── pom.xml
│ │ │ └── no_parent_pom
│ │ │ │ ├── sub_module_1
│ │ │ │ └── pom.xml
│ │ │ │ └── sub_module_2
│ │ │ │ └── pom.xml
│ │ ├── npm_repos
│ │ │ ├── nested_package
│ │ │ │ └── project
│ │ │ │ │ └── package.json
│ │ │ ├── no_package
│ │ │ │ └── dummyfile.txt
│ │ │ ├── root_package
│ │ │ │ └── package.json
│ │ │ └── root_package_packagelock
│ │ │ │ ├── package-lock.json
│ │ │ │ └── package.json
│ │ ├── poetry_repos
│ │ │ ├── has_poetry_lock
│ │ │ │ ├── poetry.lock
│ │ │ │ └── pyproject.toml
│ │ │ ├── no_poetry
│ │ │ │ └── pyproject.toml
│ │ │ └── no_poetry_lock
│ │ │ │ └── pyproject.toml
│ │ └── yarn_repos
│ │ │ ├── nested_package
│ │ │ └── project
│ │ │ │ └── package.json
│ │ │ ├── no_package
│ │ │ └── dummyfile.txt
│ │ │ ├── root_package
│ │ │ └── package.json
│ │ │ └── root_package_packagelock
│ │ │ ├── package-lock.json
│ │ │ └── package.json
│ ├── test_docker.py
│ ├── test_go.py
│ ├── test_gradle.py
│ ├── test_maven.py
│ ├── test_npm.py
│ ├── test_pip.py
│ ├── test_poetry.py
│ └── test_yarn.py
├── checks
│ ├── __init__.py
│ ├── base_check
│ │ └── test_base_check.py
│ ├── resources
│ │ ├── build_as_code
│ │ │ ├── travis_ci_no_deploy
│ │ │ │ └── .travis.yml
│ │ │ └── travis_ci_with_deploy
│ │ │ │ └── .travis.yml
│ │ ├── github
│ │ │ └── workflow_files
│ │ │ │ ├── Bradford1040_mainsail_check_locale.yml
│ │ │ │ ├── maven_build_itself.yml
│ │ │ │ ├── pypi_publish.yaml
│ │ │ │ ├── pypi_publish_blah.yaml
│ │ │ │ └── slsa_verifier.yaml
│ │ ├── osv_files
│ │ │ ├── tj-actions_changed-files_query.json
│ │ │ └── tj-actions_changed-files_querybatch.json
│ │ └── pypi_files
│ │ │ ├── zlibxjson-8.2.source
│ │ │ ├── zlibxjson.html
│ │ │ ├── zlibxjson_package.json
│ │ │ └── zlibxjson_user.html
│ ├── test_build_as_code_check.py
│ ├── test_build_script_check.py
│ ├── test_build_service_check.py
│ ├── test_build_tool_check.py
│ ├── test_check_results.py
│ ├── test_detect_malicious_metadata_check.py
│ ├── test_github_actions_vulnerability_check.py
│ ├── test_infer_artifact_pipeline.py
│ ├── test_provenance_available_check.py
│ ├── test_provenance_l3_content_check.py
│ ├── test_provenance_repo_commit_checks.py
│ ├── test_provenance_witness_l1_check.py
│ ├── test_registry.py
│ ├── test_registry_e2e.py
│ ├── test_repo_verification_check.py
│ ├── test_trusted_builder_l3_check.py
│ └── test_vcs_check.py
├── ci_service
│ ├── __init__.py
│ ├── mock_repos
│ │ ├── has_build_gh_actions
│ │ │ └── .github
│ │ │ │ └── workflows
│ │ │ │ ├── build.yml
│ │ │ │ └── deploy.yml
│ │ ├── has_build_jenkins
│ │ │ └── Jenkinsfile
│ │ └── no_build_gh_actions
│ │ │ └── .github
│ │ │ └── workflows
│ │ │ ├── build.yml
│ │ │ └── deploy.yml
│ ├── resources
│ │ ├── base_ci_service
│ │ │ ├── files_with_kws
│ │ │ │ ├── a.txt
│ │ │ │ └── b.txt
│ │ │ └── files_with_no_kws
│ │ │ │ ├── a.txt
│ │ │ │ └── b.txt
│ │ └── github
│ │ │ ├── valid1.yaml
│ │ │ └── valid2.yaml
│ ├── test_base_ci_service.py
│ └── test_github_actions.py
├── git_service
│ ├── __init__.py
│ ├── resources
│ │ └── self_hosted_gitlab_repo
│ │ │ └── test.txt
│ ├── test_api_client.py
│ ├── test_github.py
│ └── test_gitlab.py
├── mock_git_utils.py
├── package_registry
│ ├── __init__.py
│ ├── resources
│ │ ├── maven_central_files
│ │ │ ├── empty_log4j-core@3.0.0-beta2-select.json
│ │ │ ├── invalid_log4j-core@3.0.0-beta2-select.json
│ │ │ ├── jackson-annotations@2.16.1-select.json
│ │ │ └── log4j-core@3.0.0-beta2-select.json
│ │ └── npm_registry_files
│ │ │ ├── _sigstore.mock@0.7.5.json
│ │ │ ├── empty_sigstore.mock@0.7.5.json
│ │ │ └── invalid_sigstore.mock@0.7.5.json
│ ├── test_deps_dev.py
│ ├── test_jfrog_maven_registry.py
│ ├── test_maven_central_registry.py
│ ├── test_npm_registry.py
│ └── test_osv_dev.py
├── provenance
│ ├── expectations
│ │ └── cue
│ │ │ ├── resources
│ │ │ ├── invalid_expectations
│ │ │ │ ├── invalid.cue
│ │ │ │ └── urllib3_INVALID.cue
│ │ │ └── valid_expectations
│ │ │ │ ├── slsa_verifier_FAIL.cue
│ │ │ │ ├── slsa_verifier_PASS.cue
│ │ │ │ ├── urllib3_FAIL.cue
│ │ │ │ └── urllib3_PASS.cue
│ │ │ └── test_cue_validator.py
│ ├── intoto
│ │ ├── __init__.py
│ │ ├── v01
│ │ │ ├── __init__.py
│ │ │ └── test_validate.py
│ │ └── v1
│ │ │ ├── __init__.py
│ │ │ └── test_validate.py
│ ├── resources
│ │ ├── micronaut.intoto.jsonl
│ │ └── valid_provenances
│ │ │ ├── sigstore-mock.payload.json
│ │ │ ├── slsa-verifier-linux-amd64.intoto.jsonl
│ │ │ ├── slsa-verifier-linux-amd64.intoto.jsonl.gz
│ │ │ ├── slsa-verifier-linux-amd64.intoto.jsonl.url
│ │ │ ├── urllib3_decoded_FAIL.json
│ │ │ └── urllib3_decoded_PASS.json
│ └── test_witness_provenance.py
├── runner
│ └── __init__.py
├── test_analyze_context.py
├── test_analyzer.py
├── test_git_url.py
└── test_slsa_requirements.py
├── st.py
├── test_environment_variables.py
├── test_main.py
├── test_util.py
└── vsa
├── __init__.py
├── compare_vsa.py
├── integration
└── github_slsa-framework_slsa-verifier
│ └── vsa_payload.json
├── test_compare_vsa.py
└── test_vsa.py
/.dockerignore:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | *__pycache__
5 | *.hypothesis
6 | *.mypy_cache
7 | *.pytest_cache
8 | *.m2
9 | *.db
10 | build_log
11 | htmlcov
12 | git_repos
13 | tests
14 | scripts
15 | search_result
16 | .coveragerc
17 | .gitignore
18 | .pre-commit-config.yaml
19 | .pylintrc
20 | debug.log
21 | Jenkinsfile
22 | mypy.ini
23 | README.md
24 | assets
25 | setting.xml
26 | .coverage
27 | sample_profile.json
28 | .git
29 | Dockerfile
30 | .dockerignore
31 | .vscode
32 | .idea
33 | *.venv
34 | output
35 | slsa-verifier
36 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # Set default behavior to automatically normalize line endings.
5 | * text=auto
6 |
7 | # Force batch scripts to always use CRLF line endings so that if a repo is accessed
8 | # in Windows via a file share from Linux, the scripts will work.
9 | *.{cmd,[cC][mM][dD]} text eol=crlf
10 | *.{bat,[bB][aA][tT]} text eol=crlf
11 | *.{ps1,[pP][sS]1} text eol=crlf
12 |
13 | # Force bash scripts to always use LF line endings so that if a repo is accessed
14 | # in Unix via a file share from Windows, the scripts will work.
15 | *.sh text eol=lf
16 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/config.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | blank_issues_enabled: false
5 | contact_links:
6 | - name: GitHub Discussions
7 | url: https://github.com/oracle/macaron/discussions
8 | about: Please ask and answer questions here.
9 | - name: Security Reports
10 | url: https://github.com/oracle/macaron/blob/main/SECURITY.md
11 | about: Please report security vulnerabilities following the instructions.
12 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature Request
3 | about: Suggest a new feature or enhancement for Macaron.
4 | title: "[Feature Request] - [Describe Feature]"
5 | labels: enhancement, feature
6 | assignees: ''
7 |
8 | ---
9 |
10 | ### Description
11 | Please provide a clear and concise description of the feature or enhancement you'd like to see in Macaron. Explain why it would be useful and how it could improve the tool.
12 |
13 | ### Proposed Feature
14 | What functionality or feature would you like to add to Macaron? Please describe it in detail.
15 |
16 | ### Use Case
17 |
--------------------------------------------------------------------------------
/.github/codeql/codeql-config.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | name: CodeQL configuration
5 | paths:
6 | - src/macaron
7 |
--------------------------------------------------------------------------------
/.github/workflows/dependabot-automerge.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # Automatically merge Dependabot PRs upon approval by leaving
5 | # a comment on Dependabot's pull-request.
6 |
7 | name: Automerge Dependabot PR
8 | on:
9 | pull_request_review:
10 | types: [submitted]
11 |
12 | permissions:
13 | pull-requests: write
14 |
15 | jobs:
16 | comment:
17 | if: ${{ github.event.review.state == 'approved' && github.event.pull_request.user.login == 'dependabot[bot]' }}
18 | runs-on: ubuntu-latest
19 | steps:
20 | - name: Merge Dependabot PR
21 | run: gh pr comment --body "@dependabot squash and merge" "$PR_URL"
22 | env:
23 | PR_URL: ${{ github.event.pull_request.html_url }}
24 | GITHUB_TOKEN: ${{ secrets.DEPENDABOT_AUTOMERGE_TOKEN }}
25 |
--------------------------------------------------------------------------------
/.github/workflows/pr-change-set.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # This workflow checks and tests the package code, builds all package
5 | # artifacts and the Docker image whenever there are changes to a pull request.
6 |
7 | name: Check change set
8 | on:
9 | pull_request:
10 | branches:
11 | - '*'
12 | types:
13 | - opened
14 | - reopened
15 | - synchronize
16 | - converted_to_draft
17 | permissions:
18 | contents: read
19 |
20 | jobs:
21 | build:
22 | uses: ./.github/workflows/_build.yaml
23 | permissions:
24 | contents: read
25 | packages: read
26 |
--------------------------------------------------------------------------------
/.semgrepignore:
--------------------------------------------------------------------------------
1 | # Items added to this file will be ignored by Semgrep.
2 |
--------------------------------------------------------------------------------
/CODEOWNERS:
--------------------------------------------------------------------------------
1 | * @behnazh-w @tromai
2 |
--------------------------------------------------------------------------------
/docs/Makefile:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # Minimal makefile for Sphinx documentation
5 | #
6 |
7 | # You can set these variables from the command line, and also
8 | # from the environment for the first two.
9 |
10 | # Treat the warnings as errors.
11 | SPHINXOPTS ?= -W
12 | SPHINXBUILD ?= sphinx-build
13 | SOURCEDIR = source
14 | BUILDDIR = _build
15 |
16 | # Put it first so that "make" without argument is like "make help".
17 | help:
18 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
19 |
20 | .PHONY: help Makefile
21 |
22 | # Catch-all target: route all unknown targets to Sphinx using the new
23 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
24 | %: Makefile
25 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
26 |
--------------------------------------------------------------------------------
/docs/source/_static/examples/micronaut-projects/micronaut-core/policies/micronaut-core.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "micronaut-projects/micronaut-core",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/micronaut-projects/micronaut-core@refs/tags/v[0-9]+.[0-9]+.[0-9]+$"
7 | entryPoint: ".github/workflows/release.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/docs/source/_static/images/exclude_provenance_withness_level_one.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/exclude_provenance_withness_level_one.png
--------------------------------------------------------------------------------
/docs/source/_static/images/macaron_infrastructure.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/macaron_infrastructure.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_arrow_0.15.0_report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_arrow_0.15.0_report.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_arrow_0.15.0_report_top.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_arrow_0.15.0_report_top.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_arrow_1.3.0_report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_arrow_1.3.0_report.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_arrow_1.3.0_report_top.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_arrow_1.3.0_report_top.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_bh_jackson_databind_infer_pipeline.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_bh_jackson_databind_infer_pipeline.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_django_5.0.6_detect_malicious_metadata_check.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_django_5.0.6_detect_malicious_metadata_check.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_example_maven_app_report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_example_maven_app_report.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_example_maven_app_report_dependencies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_example_maven_app_report_dependencies.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_log4j_find_pipeline.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_log4j_find_pipeline.png
--------------------------------------------------------------------------------
/docs/source/_static/images/tutorial_semver_7.6.2_report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/docs/source/_static/images/tutorial_semver_7.6.2_report.png
--------------------------------------------------------------------------------
/docs/source/_static/schemastore/find_source_report_schema.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://json-schema.org/draft/2020-12/schema",
3 | "$id": "macaron-source-finder-json-report-schema",
4 | "title": "Macaron Source Finder JSON Report",
5 | "$comment": "For any details about the schema specification and validation documentation, see https://json-schema.org/draft/2020-12/draft-bhutton-json-schema-00 and https://json-schema.org/draft/2020-12/draft-bhutton-json-schema-validation-00.",
6 | "type": "object",
7 | "properties": {
8 | "purl": {
9 | "type": "string"
10 | },
11 | "commit": {
12 | "type": "string"
13 | },
14 | "repo": {
15 | "type": "string"
16 | },
17 | "repo_validated": {
18 | "type": "boolean"
19 | },
20 | "commit_validated": {
21 | "type": "boolean"
22 | },
23 | "url": {
24 | "type": "string"
25 | }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/docs/source/_templates/layout.html:
--------------------------------------------------------------------------------
1 | {# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved. #}
2 | {# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. #}
3 |
4 | {% extends "!layout.html" %}
5 | {% block extrahead %}
6 |
7 | {% endblock %}
8 |
--------------------------------------------------------------------------------
/docs/source/pages/cli_usage/command_dump_defaults.rst:
--------------------------------------------------------------------------------
1 | .. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | .. _action_dump_defaults:
5 |
6 | =============
7 | Dump Defaults
8 | =============
9 |
10 | -----------
11 | Description
12 | -----------
13 |
14 | Dumps the ``defaults.ini`` configuration file used by Macaron to the output directory. You can make changes to this configuration file and pass it to Macaron using the ``--defaults-path`` option. See :ref:`Analyze ` for more information.
15 |
16 | -----
17 | Usage
18 | -----
19 |
20 | .. code-block:: shell
21 |
22 | usage: ./run_macaron.sh dump-defaults [-h]
23 |
24 | -------
25 | Options
26 | -------
27 |
28 | .. option:: -h, --help
29 |
30 | Show this help message and exit
31 |
--------------------------------------------------------------------------------
/docs/source/pages/cli_usage/command_find-source.rst:
--------------------------------------------------------------------------------
1 | .. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | .. _find-source-command-cli:
5 |
6 | ===========
7 | Find Source
8 | ===========
9 |
10 | -----------
11 | Description
12 | -----------
13 |
14 | Find the source commit, and optionally source repository, of a target artifact.
15 |
16 | -----
17 | Usage
18 | -----
19 |
20 | .. code-block:: shell
21 |
22 | usage: ./run_macaron.sh find-source -purl PURL [-rp REPO_PATH]
23 |
24 | -------
25 | Options
26 | -------
27 |
28 | .. option:: -h, --help
29 |
30 | Show this help message and exit
31 |
32 | .. option:: -purl PACKAGE_URL, --package-url PACKAGE_URL
33 |
34 | The PURL string used to uniquely identify the artifact.
35 |
36 | .. option:: -rp REPO_PATH, --repo-path REPO_PATH
37 |
38 | The path to the repository.
39 |
--------------------------------------------------------------------------------
/docs/source/pages/cli_usage/command_verify-policy.rst:
--------------------------------------------------------------------------------
1 | .. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | .. _verify-policy-command-cli:
5 |
6 | =============
7 | Verify Policy
8 | =============
9 |
10 | -----------
11 | Description
12 | -----------
13 |
14 | Verify the analysis results against a Souffle Datalog policy.
15 |
16 | -----
17 | Usage
18 | -----
19 |
20 | .. code-block:: shell
21 |
22 | usage: ./run_macaron.sh verify-policy [-h] -d DATABASE (-f FILE | -s)
23 |
24 | -------
25 | Options
26 | -------
27 |
28 | .. option:: -h, --help
29 |
30 | Show this help message and exit
31 |
32 | .. option:: -d DATABASE, --database DATABASE
33 |
34 | Path to the database.
35 |
36 | .. option:: -f FILE, --file FILE
37 |
38 | Path to the Datalog policy.
39 |
40 | .. option:: -s, --show-prelude
41 |
42 | Show policy prelude.
43 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/index.rst:
--------------------------------------------------------------------------------
1 | .. Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | =====================
5 | Macaron API Reference
6 | =====================
7 |
8 | .. toctree::
9 | :maxdepth: 1
10 |
11 | macaron
12 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.code_analyzer.rst:
--------------------------------------------------------------------------------
1 | macaron.code\_analyzer package
2 | ==============================
3 |
4 | .. automodule:: macaron.code_analyzer
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Submodules
10 | ----------
11 |
12 | macaron.code\_analyzer.call\_graph module
13 | -----------------------------------------
14 |
15 | .. automodule:: macaron.code_analyzer.call_graph
16 | :members:
17 | :undoc-members:
18 | :show-inheritance:
19 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.config.rst:
--------------------------------------------------------------------------------
1 | macaron.config package
2 | ======================
3 |
4 | .. automodule:: macaron.config
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Submodules
10 | ----------
11 |
12 | macaron.config.defaults module
13 | ------------------------------
14 |
15 | .. automodule:: macaron.config.defaults
16 | :members:
17 | :undoc-members:
18 | :show-inheritance:
19 |
20 | macaron.config.global\_config module
21 | ------------------------------------
22 |
23 | .. automodule:: macaron.config.global_config
24 | :members:
25 | :undoc-members:
26 | :show-inheritance:
27 |
28 | macaron.config.target\_config module
29 | ------------------------------------
30 |
31 | .. automodule:: macaron.config.target_config
32 | :members:
33 | :undoc-members:
34 | :show-inheritance:
35 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.malware_analyzer.rst:
--------------------------------------------------------------------------------
1 | macaron.malware\_analyzer package
2 | =================================
3 |
4 | .. automodule:: macaron.malware_analyzer
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Subpackages
10 | -----------
11 |
12 | .. toctree::
13 | :maxdepth: 1
14 |
15 | macaron.malware_analyzer.pypi_heuristics
16 |
17 | Submodules
18 | ----------
19 |
20 | macaron.malware\_analyzer.datetime\_parser module
21 | -------------------------------------------------
22 |
23 | .. automodule:: macaron.malware_analyzer.datetime_parser
24 | :members:
25 | :undoc-members:
26 | :show-inheritance:
27 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.parsers.yaml.rst:
--------------------------------------------------------------------------------
1 | macaron.parsers.yaml package
2 | ============================
3 |
4 | .. automodule:: macaron.parsers.yaml
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Submodules
10 | ----------
11 |
12 | macaron.parsers.yaml.loader module
13 | ----------------------------------
14 |
15 | .. automodule:: macaron.parsers.yaml.loader
16 | :members:
17 | :undoc-members:
18 | :show-inheritance:
19 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.policy_engine.rst:
--------------------------------------------------------------------------------
1 | macaron.policy\_engine package
2 | ==============================
3 |
4 | .. automodule:: macaron.policy_engine
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Submodules
10 | ----------
11 |
12 | macaron.policy\_engine.policy\_engine module
13 | --------------------------------------------
14 |
15 | .. automodule:: macaron.policy_engine.policy_engine
16 | :members:
17 | :undoc-members:
18 | :show-inheritance:
19 |
20 | macaron.policy\_engine.souffle module
21 | -------------------------------------
22 |
23 | .. automodule:: macaron.policy_engine.souffle
24 | :members:
25 | :undoc-members:
26 | :show-inheritance:
27 |
28 | macaron.policy\_engine.souffle\_code\_generator module
29 | ------------------------------------------------------
30 |
31 | .. automodule:: macaron.policy_engine.souffle_code_generator
32 | :members:
33 | :undoc-members:
34 | :show-inheritance:
35 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.provenance.rst:
--------------------------------------------------------------------------------
1 | macaron.provenance package
2 | ==========================
3 |
4 | .. automodule:: macaron.provenance
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Submodules
10 | ----------
11 |
12 | macaron.provenance.provenance\_extractor module
13 | -----------------------------------------------
14 |
15 | .. automodule:: macaron.provenance.provenance_extractor
16 | :members:
17 | :undoc-members:
18 | :show-inheritance:
19 |
20 | macaron.provenance.provenance\_finder module
21 | --------------------------------------------
22 |
23 | .. automodule:: macaron.provenance.provenance_finder
24 | :members:
25 | :undoc-members:
26 | :show-inheritance:
27 |
28 | macaron.provenance.provenance\_verifier module
29 | ----------------------------------------------
30 |
31 | .. automodule:: macaron.provenance.provenance_verifier
32 | :members:
33 | :undoc-members:
34 | :show-inheritance:
35 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.asset.rst:
--------------------------------------------------------------------------------
1 | macaron.slsa\_analyzer.asset package
2 | ====================================
3 |
4 | .. automodule:: macaron.slsa_analyzer.asset
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.ci_service.github_actions.rst:
--------------------------------------------------------------------------------
1 | macaron.slsa\_analyzer.ci\_service.github\_actions package
2 | ==========================================================
3 |
4 | .. automodule:: macaron.slsa_analyzer.ci_service.github_actions
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Submodules
10 | ----------
11 |
12 | macaron.slsa\_analyzer.ci\_service.github\_actions.analyzer module
13 | ------------------------------------------------------------------
14 |
15 | .. automodule:: macaron.slsa_analyzer.ci_service.github_actions.analyzer
16 | :members:
17 | :undoc-members:
18 | :show-inheritance:
19 |
20 | macaron.slsa\_analyzer.ci\_service.github\_actions.github\_actions\_ci module
21 | -----------------------------------------------------------------------------
22 |
23 | .. automodule:: macaron.slsa_analyzer.ci_service.github_actions.github_actions_ci
24 | :members:
25 | :undoc-members:
26 | :show-inheritance:
27 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.provenance.expectations.cue.rst:
--------------------------------------------------------------------------------
1 | macaron.slsa\_analyzer.provenance.expectations.cue package
2 | ==========================================================
3 |
4 | .. automodule:: macaron.slsa_analyzer.provenance.expectations.cue
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Submodules
10 | ----------
11 |
12 | macaron.slsa\_analyzer.provenance.expectations.cue.cue\_validator module
13 | ------------------------------------------------------------------------
14 |
15 | .. automodule:: macaron.slsa_analyzer.provenance.expectations.cue.cue_validator
16 | :members:
17 | :undoc-members:
18 | :show-inheritance:
19 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.provenance.intoto.rst:
--------------------------------------------------------------------------------
1 | macaron.slsa\_analyzer.provenance.intoto package
2 | ================================================
3 |
4 | .. automodule:: macaron.slsa_analyzer.provenance.intoto
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Subpackages
10 | -----------
11 |
12 | .. toctree::
13 | :maxdepth: 1
14 |
15 | macaron.slsa_analyzer.provenance.intoto.v01
16 | macaron.slsa_analyzer.provenance.intoto.v1
17 |
18 | Submodules
19 | ----------
20 |
21 | macaron.slsa\_analyzer.provenance.intoto.errors module
22 | ------------------------------------------------------
23 |
24 | .. automodule:: macaron.slsa_analyzer.provenance.intoto.errors
25 | :members:
26 | :undoc-members:
27 | :show-inheritance:
28 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.provenance.intoto.v01.rst:
--------------------------------------------------------------------------------
1 | macaron.slsa\_analyzer.provenance.intoto.v01 package
2 | ====================================================
3 |
4 | .. automodule:: macaron.slsa_analyzer.provenance.intoto.v01
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.provenance.intoto.v1.rst:
--------------------------------------------------------------------------------
1 | macaron.slsa\_analyzer.provenance.intoto.v1 package
2 | ===================================================
3 |
4 | .. automodule:: macaron.slsa_analyzer.provenance.intoto.v1
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.provenance.slsa.rst:
--------------------------------------------------------------------------------
1 | macaron.slsa\_analyzer.provenance.slsa package
2 | ==============================================
3 |
4 | .. automodule:: macaron.slsa_analyzer.provenance.slsa
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.provenance.witness.rst:
--------------------------------------------------------------------------------
1 | macaron.slsa\_analyzer.provenance.witness package
2 | =================================================
3 |
4 | .. automodule:: macaron.slsa_analyzer.provenance.witness
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Submodules
10 | ----------
11 |
12 | macaron.slsa\_analyzer.provenance.witness.attestor module
13 | ---------------------------------------------------------
14 |
15 | .. automodule:: macaron.slsa_analyzer.provenance.witness.attestor
16 | :members:
17 | :undoc-members:
18 | :show-inheritance:
19 |
--------------------------------------------------------------------------------
/docs/source/pages/developers_guide/apidoc/macaron.vsa.rst:
--------------------------------------------------------------------------------
1 | macaron.vsa package
2 | ===================
3 |
4 | .. automodule:: macaron.vsa
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Submodules
10 | ----------
11 |
12 | macaron.vsa.vsa module
13 | ----------------------
14 |
15 | .. automodule:: macaron.vsa.vsa
16 | :members:
17 | :undoc-members:
18 | :show-inheritance:
19 |
--------------------------------------------------------------------------------
/docs/source/pages/supported_technologies/jfrog.rst:
--------------------------------------------------------------------------------
1 | .. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | =================
5 | JFrog Artifactory
6 | =================
7 |
--------------------------------------------------------------------------------
/docs/source/pages/supported_technologies/maven_central.rst:
--------------------------------------------------------------------------------
1 | .. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | =============
5 | Maven Central
6 | =============
7 |
--------------------------------------------------------------------------------
/docs/source/pages/supported_technologies/npm_registry.rst:
--------------------------------------------------------------------------------
1 | .. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | ============
5 | npm Registry
6 | ============
7 |
--------------------------------------------------------------------------------
/docs/source/pages/supported_technologies/pypi_registry.rst:
--------------------------------------------------------------------------------
1 | .. Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | ===========================
5 | Python Package Index (PyPI)
6 | ===========================
7 |
--------------------------------------------------------------------------------
/docs/source/pages/supported_technologies/witness.rst:
--------------------------------------------------------------------------------
1 | .. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | =======
5 | Witness
6 | =======
7 |
--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | module github.com/oracle/macaron
5 |
6 | go 1.23.0
7 |
8 | toolchain go1.23.2
9 |
10 | require (
11 | cuelang.org/go v0.12.0
12 | mvdan.cc/sh/v3 v3.11.0
13 | )
14 |
15 | require (
16 | github.com/cockroachdb/apd/v3 v3.2.1 // indirect
17 | github.com/google/uuid v1.6.0 // indirect
18 | github.com/pelletier/go-toml/v2 v2.2.3 // indirect
19 | golang.org/x/mod v0.22.0 // indirect
20 | golang.org/x/net v0.38.0 // indirect
21 | golang.org/x/text v0.23.0 // indirect
22 | gopkg.in/yaml.v3 v3.0.1 // indirect
23 | )
24 |
--------------------------------------------------------------------------------
/golang/cmd/bashparser/README.md:
--------------------------------------------------------------------------------
1 | # Bash Parser
2 |
3 | This go module parses bash scripts using the [sh](https://github.com/mvdan/sh) library.
4 |
5 | ### Run the bash parser directly
6 | To run the parser, from the root dir of this repository:
7 | ```
8 | go run ./golang/cmd/bashparser/bashparser.go -h
9 | ```
10 | - `-file `: The path of the bash script file.
11 | - `-input `: The bash script content to be parsed. Input is prioritized over file option.
12 | - `-output `: The path to the output json file.
13 |
14 | If the bash file is valid, the output JSON string is put to stdout and the application return a zero code. When there are errors, the error messages are put to stderr and the module will exit with non-zero code.
15 |
16 | When there are errors while storing the JSON content to a file, the JSON string is still put to stdout, but those errors will be put to stderr.
17 |
--------------------------------------------------------------------------------
/golang/internal/bashparser/resources/valid.sh:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | #! bin/bash
5 |
6 | set -euo pipefail
7 | if [[ "$COMPILE_BUILDER" = true ]]; then
8 | echo "Building the builder"
9 | cd "$BUILDER_DIR"/go/
10 | go mod vendor
11 | go build -mod=vendor -o "$BUILDER_BINARY"
12 | cd -
13 | mv "${BUILDER_DIR}/go/${BUILDER_BINARY}" .
14 | else
15 | echo "Fetching the builder with ref: $BUILDER_REF"
16 | .github/workflows/scripts/builder-fetch.sh
17 | mv "$BUILDER_RELEASE_BINARY" "$BUILDER_BINARY"
18 | fi
19 | BUILDER_DIGEST=$(sha256sum "$BUILDER_BINARY" | awk '{print $1}')
20 | echo "::set-output name=go-builder-sha256::$BUILDER_DIGEST"
21 | echo "hash of $BUILDER_BINARY is $BUILDER_DIGEST"
22 | mvn verify deploy
23 | echo "::set-output name=hashes::$(sha256sum artifact1 artifact2 | base64 -w0)"
24 |
--------------------------------------------------------------------------------
/golang/internal/cuevalidator/resources/invalid_policy.cue:
--------------------------------------------------------------------------------
1 | INVALID
2 |
--------------------------------------------------------------------------------
/golang/internal/cuevalidator/resources/invalid_provenance.json:
--------------------------------------------------------------------------------
1 | None
2 |
--------------------------------------------------------------------------------
/golang/internal/cuevalidator/resources/valid_policy.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "urllib3/urllib3",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/urllib3/urllib3@refs/tags/[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/publish.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/golang/internal/filewriter/filewriter.go:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | package filewriter
5 |
6 | import (
7 | "os"
8 | )
9 |
10 | // This method will overwrite any content if the file already
11 | // exists.
12 | func StoreBytesToFile(content []byte, file_name string) error {
13 | file, err := os.Create(file_name)
14 | if err != nil {
15 | return err
16 | }
17 | defer file.Close()
18 |
19 | // Write err will be nil if there is no errors
20 | _, write_err := file.Write(content)
21 | return write_err
22 | }
23 |
--------------------------------------------------------------------------------
/golang/internal/filewriter/mock_dir/README.md:
--------------------------------------------------------------------------------
1 | This is a mock directory for testing.
2 |
--------------------------------------------------------------------------------
/src/macaron/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """This module initializes the necessary components for the macaron package."""
5 |
6 | import os
7 |
8 | # The version of this package. There's no comprehensive, official list of other
9 | # magic constants, so we stick with this one only for now. See also this conversation:
10 | # https://stackoverflow.com/questions/38344848/is-there-a-comprehensive-table-of-pythons-magic-constants
11 | __version__ = "0.16.0"
12 |
13 | # The path to the Macaron package.
14 | MACARON_PATH = os.path.dirname(os.path.abspath(__file__))
15 |
--------------------------------------------------------------------------------
/src/macaron/code_analyzer/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/config/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/database/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/dependency_analyzer/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """This package contains the dependency resolvers."""
5 |
--------------------------------------------------------------------------------
/src/macaron/malware_analyzer/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/malware_analyzer/pypi_heuristics/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/malware_analyzer/pypi_heuristics/metadata/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/malware_analyzer/pypi_heuristics/sourcecode/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/output_reporter/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/output_reporter/scm.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """This module implements datatypes to represent SCM results."""
5 |
6 | from enum import Enum
7 |
8 |
9 | class SCMStatus(str, Enum):
10 | """The status type of each analyzed repository."""
11 |
12 | AVAILABLE = "AVAILABLE"
13 | """The SCM url is available for this artifact."""
14 | MISSING_SCM = "MISSING REPO URL"
15 | """Cannot find the SCM url for this artifact."""
16 | DUPLICATED_SCM = "DUPLICATED REPO URL"
17 | """The SCM url is available but has been already analyzed for another artifact."""
18 | ANALYSIS_FAILED = "FAILED"
19 | """When the SCM is available but the analysis could not finish for this artifact."""
20 |
--------------------------------------------------------------------------------
/src/macaron/parsers/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/parsers/yaml/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/policy_engine/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/policy_engine/examples/aggregate.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 |
5 | #include "prelude.dl"
6 |
7 | /**
8 | * This is an example of applying the aggregate level policy.
9 | */
10 |
11 | apply_policy_to("aggregate_level_3", repo_id) :-
12 | // if we have provenance, then require using a trusted builder,
13 | // verifying the provenance attestations, and
14 | // dependencies must use some kind of scripted build
15 | repository_analysis(_, component_id, repo_id, name),
16 | provenance(_, component_id, _, _, _, _).
17 |
18 | // Require everything to have version control
19 | apply_policy_to("aggregate_level_1", repo_id) :- is_repo(repo_id, _, _).
20 |
--------------------------------------------------------------------------------
/src/macaron/policy_engine/examples/simple_example.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 |
5 | #include "prelude.dl"
6 |
7 | Policy("auth-provenance", repositoryid, "") :- check_passed(repositoryid, "mcn_provenance_level_three_1").
8 | apply_policy_to("auth-provenance", repo_id) :- is_repo(repo_id, _, _).
9 |
--------------------------------------------------------------------------------
/src/macaron/policy_engine/prelude/prelude.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | /**
5 | * Policy prelude: copies all pre-written rules and the generated fact import statements into the policy program.
6 | * All user-written policy files must begin with #include "prelude.dl".
7 | */
8 |
9 | #ifndef MCN_PRELUDE
10 | #define MCN_PRELUDE
11 |
12 | /* Predefined rules: see src/macaron/policy_engine/prelude/ */
13 | #include "helper_rules.dl"
14 | #include "policy.dl"
15 | #include "aggregate_rules.dl"
16 |
17 | /* The fact import statements generated by the policy engine */
18 | #include "import_data.dl"
19 |
20 | #endif
21 |
--------------------------------------------------------------------------------
/src/macaron/provenance/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """This package contains the provenance tools for software components."""
5 |
--------------------------------------------------------------------------------
/src/macaron/py.typed:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # PEP-561 marker. https://mypy.readthedocs.io/en/latest/installed_packages.html
5 |
--------------------------------------------------------------------------------
/src/macaron/repo_verifier/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """This package contains classes for repository verification."""
5 |
--------------------------------------------------------------------------------
/src/macaron/resources/.gitattributes:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | #
5 | # https://help.github.com/articles/dealing-with-line-endings/
6 | #
7 | # Linux start script should use lf
8 | /gradlew text eol=lf
9 |
10 | # These are Windows script files and should use crlf
11 | *.bat text eol=crlf
12 |
--------------------------------------------------------------------------------
/src/macaron/resources/.gitignore:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # Ignore Gradle project-specific cache directory
5 | .gradle
6 | gradle-*
7 |
8 | # Ignore Gradle build output directory
9 | build
10 |
11 | # Ignore downloaded schemastore files
12 | schemastore
13 |
--------------------------------------------------------------------------------
/src/macaron/resources/policies/gdk/expectation.cue.template:
--------------------------------------------------------------------------------
1 | {
2 | target: "",
3 | predicate: {
4 | attestations: [
5 | {
6 | attestation: {
7 | jobimage: "",
8 | projecturl: "https://",
9 | },
10 | },
11 | _,
12 | _,
13 | _,
14 | _,
15 | _
16 | ]
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/src/macaron/resources/policies/gdk/policy.dl.template:
--------------------------------------------------------------------------------
1 | #include "prelude.dl"
2 |
3 | Policy("gdk_provenance_policy", component_id, "Policy for GDK builds") :-
4 | check_passed(component_id, "mcn_provenance_expectation_1").
5 |
6 | apply_policy_to("gcn_provenance_policy", component_id) :-
7 | is_component(component_id, purl),
8 | match("^@.*$", purl).
9 |
--------------------------------------------------------------------------------
/src/macaron/resources/schemastore/find_source_report_schema.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://json-schema.org/draft/2020-12/schema",
3 | "$id": "macaron-source-finder-json-report-schema",
4 | "title": "Macaron Source Finder JSON Report",
5 | "$comment": "For any details about the schema specification and validation documentation, see https://json-schema.org/draft/2020-12/draft-bhutton-json-schema-00 and https://json-schema.org/draft/2020-12/draft-bhutton-json-schema-validation-00.",
6 | "type": "object",
7 | "properties": {
8 | "purl": {
9 | "type": "string"
10 | },
11 | "commit": {
12 | "type": "string"
13 | },
14 | "repo": {
15 | "type": "string"
16 | },
17 | "repo_validated": {
18 | "type": "boolean"
19 | },
20 | "commit_validated": {
21 | "type": "boolean"
22 | },
23 | "url": {
24 | "type": "string"
25 | }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/src/macaron/resources/settings.gradle:
--------------------------------------------------------------------------------
1 | /*
2 | * This file was generated by the Gradle 'init' task.
3 | *
4 | * The settings file is used to specify which projects to include in your build.
5 | *
6 | * Detailed information about configuring a multi-project build in Gradle can be found
7 | * in the user manual at https://docs.gradle.org/7.6/userguide/multi_project_builds.html
8 | */
9 |
--------------------------------------------------------------------------------
/src/macaron/resources/settings.xml:
--------------------------------------------------------------------------------
1 |
5 |
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/build_tool/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """The build_tool package contains the supported build tools for Macaron."""
5 |
6 | from .base_build_tool import BaseBuildTool
7 | from .docker import Docker
8 | from .go import Go
9 | from .gradle import Gradle
10 | from .maven import Maven
11 | from .npm import NPM
12 | from .pip import Pip
13 | from .poetry import Poetry
14 | from .yarn import Yarn
15 |
16 | # The list of supported build tools. The order of the list determine the order
17 | # in which each build tool is checked against the target repository.
18 | BUILD_TOOLS: list[BaseBuildTool] = [Gradle(), Maven(), Poetry(), Pip(), Docker(), NPM(), Yarn(), Go()]
19 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/checks/README.md:
--------------------------------------------------------------------------------
1 | # Defining Checks
2 |
3 | The checks defined in this directory are automatically loaded during the startup of Macaron and used during the analysis. For detailed instructions to write a new check, see our [website](https://oracle.github.io/macaron/pages/developers_guide/index.html).
4 |
5 |
6 | You can also have a look at the existing Checks in [this](./) directory for inspiration.
7 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/checks/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """Import Checks for running and importing from other packages."""
5 |
6 | import glob
7 | import os
8 |
9 | # All checks have the module name of _check.py.
10 | modules = glob.glob(os.path.join(os.path.dirname(__file__), "*_check.py"))
11 | __all__ = [os.path.basename(f)[:-3] for f in modules if os.path.isfile(f) and not f.endswith("__init__.py")]
12 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/ci_service/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """The ci_service package contains the supported CI services for Macaron."""
5 |
6 | from macaron.slsa_analyzer.ci_service.github_actions.github_actions_ci import GitHubActions
7 |
8 | from .base_ci_service import BaseCIService
9 | from .circleci import CircleCI
10 | from .gitlab_ci import GitLabCI
11 | from .jenkins import Jenkins
12 | from .travis import Travis
13 |
14 | # The list of supported CI services. The order of the list determines the order
15 | # in which each ci service is checked against the target repository.
16 | CI_SERVICES: list[BaseCIService] = [GitHubActions(), Jenkins(), Travis(), CircleCI(), GitLabCI()]
17 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/ci_service/github_actions/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/git_service/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """The git_service package contains the supported git services for Macaron."""
5 |
6 | from .base_git_service import BaseGitService
7 | from .bitbucket import BitBucket
8 | from .github import GitHub
9 | from .gitlab import PubliclyHostedGitLab, SelfHostedGitLab
10 | from .local_repo_git_service import LocalRepoGitService
11 |
12 | # The list of supported git services. The order of the list determines the order
13 | # in which each git service is checked against the target repository.
14 | GIT_SERVICES: list[BaseGitService] = [
15 | GitHub(),
16 | PubliclyHostedGitLab(),
17 | SelfHostedGitLab(),
18 | BitBucket(),
19 | LocalRepoGitService(),
20 | ]
21 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/levels.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """This module contains classes that handle the analysis of each SLSA levels."""
5 |
6 | from enum import Enum
7 |
8 |
9 | class SLSALevels(Enum):
10 | """The enum for the SLSA level of each SLSA requirement.
11 |
12 | See Also: https://slsa.dev/spec.
13 | """
14 |
15 | LEVEL0 = "SLSA Level 0"
16 | LEVEL1 = "SLSA Level 1"
17 | LEVEL2 = "SLSA Level 2"
18 | LEVEL3 = "SLSA Level 3"
19 | LEVEL4 = "SLSA Level 4"
20 |
21 | def __int__(self) -> int:
22 | return int(self.value[-1])
23 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/package_registry/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """This module defines the package registries."""
5 |
6 | from macaron.slsa_analyzer.package_registry.jfrog_maven_registry import JFrogMavenRegistry
7 | from macaron.slsa_analyzer.package_registry.maven_central_registry import MavenCentralRegistry
8 | from macaron.slsa_analyzer.package_registry.npm_registry import NPMRegistry
9 | from macaron.slsa_analyzer.package_registry.package_registry import PackageRegistry
10 | from macaron.slsa_analyzer.package_registry.pypi_registry import PyPIRegistry
11 |
12 | PACKAGE_REGISTRIES: list[PackageRegistry] = [
13 | JFrogMavenRegistry(),
14 | MavenCentralRegistry(),
15 | NPMRegistry(),
16 | PyPIRegistry(),
17 | ]
18 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/provenance/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/provenance/expectations/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/provenance/intoto/errors.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """Error types related to in-toto attestations."""
5 |
6 | from macaron.errors import MacaronError
7 |
8 |
9 | class InTotoAttestationError(MacaronError):
10 | """The base error type for all in-toto related errors."""
11 |
12 |
13 | class ValidateInTotoPayloadError(InTotoAttestationError):
14 | """Happens when there is an issue validating an in-toto payload, usually against a schema."""
15 |
16 |
17 | class UnsupportedInTotoVersionError(InTotoAttestationError):
18 | """Happens when encountering a provenance under an unsupported in-toto version."""
19 |
20 |
21 | class LoadIntotoAttestationError(InTotoAttestationError):
22 | """Happens when there is an issue decoding and loading the payload of an in-toto provenance."""
23 |
--------------------------------------------------------------------------------
/src/macaron/slsa_analyzer/specs/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/src/macaron/vsa/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/analyze_json_output/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/artifact/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/config/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/config/resources/defaults.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # Dependency resolver tool
5 | [dependency.resolver]
6 | # Should be in : format.
7 | # The supported tools for Maven is cyclonedx-maven.
8 | # The version of the dependency resolver should conform with semantic versioning.
9 | dep_tool_maven = cyclonedx-maven:1.1.1
10 |
--------------------------------------------------------------------------------
/tests/database/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/cyclonedx/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/cyclonedx/defaults.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [repofinder.java]
5 | # Disables remote calls made to find missing repositories
6 | find_repos = False
7 |
8 | [repofinder]
9 | # Disables attempts at resolving redirecting URLs via remote calls
10 | redirect_urls =
11 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/cyclonedx/resources/invalid_bom.json:
--------------------------------------------------------------------------------
1 | {"INVALID": "INVALID"}
2 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/cyclonedx/resources/invalid_json.json:
--------------------------------------------------------------------------------
1 | INVALID
2 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/multiple_named_sboms/target/custom_bom.json:
--------------------------------------------------------------------------------
1 | {
2 | }
3 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/multiple_named_sboms/target/custom_bom_2.json:
--------------------------------------------------------------------------------
1 | {
2 | }
3 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/custom_bom.json:
--------------------------------------------------------------------------------
1 | {
2 | }
3 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/target/custom_bom.json:
--------------------------------------------------------------------------------
1 | {
2 | }
3 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/target/custom_bom_2.json:
--------------------------------------------------------------------------------
1 | {
2 | }
3 |
--------------------------------------------------------------------------------
/tests/dependency_analyzer/test_dependency_analyzer.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """
5 | This module tests the DependencyAnalyzer.
6 | """
7 |
8 | from macaron.dependency_analyzer.cyclonedx import DependencyAnalyzer
9 | from tests.macaron_testcase import MacaronTestCase
10 |
11 |
12 | class TestDependencyAnalyzer(MacaronTestCase):
13 | """Test the dependency analyzer functions."""
14 |
15 | def test_tool_valid(self) -> None:
16 | """Test the tool name and version is valid."""
17 | assert DependencyAnalyzer.tool_valid("cyclonedx:2.6.2") is False
18 | assert DependencyAnalyzer.tool_valid("cyclonedx-maven:2.6.2") is True
19 | assert DependencyAnalyzer.tool_valid("cyclonedx-maven:abc") is False
20 |
--------------------------------------------------------------------------------
/tests/integration/cases/ajax-requester_pypi_malware_analyzer/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("check-ajax-requester", component_id, "Check ajax-requester artifacts") :-
7 | check_passed(component_id, "mcn_detect_malicious_metadata_1").
8 |
9 | apply_policy_to("check-ajax-requester", component_id) :-
10 | is_component(component_id, purl),
11 | match("pkg:pypi/ajax-requester", purl).
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/ajax-requester_pypi_malware_analyzer/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the metadata of a project with unreachable links, frequent releases, and the maintainer
6 | released it shortly after account registration with a suspicious setup.py file, but a wheel file
7 | is present. Macaron should report a pass for such a package.
8 |
9 | tags:
10 | - macaron-python-package
11 |
12 | steps:
13 | - name: Run macaron analyze against ajax-requester
14 | kind: analyze
15 | options:
16 | command_args:
17 | - -purl
18 | - pkg:pypi/ajax-requester
19 | - name: Run macaron verify-policy to check the results
20 | kind: verify
21 | options:
22 | policy: policy.dl
23 |
--------------------------------------------------------------------------------
/tests/integration/cases/all_checks_excluded/config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [analysis.checks]
5 | exclude = *
6 | include = *
7 |
--------------------------------------------------------------------------------
/tests/integration/cases/all_checks_excluded/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Running the analysis with all checks excluded. This test should return an error code.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | ini: config.ini
15 | command_args:
16 | - -rp
17 | - https://github.com/apache/maven
18 | expect_fail: true
19 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_analyze_dependencies_with_no_repo_and_no_sbom/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing dependencies when neither the repository nor SBOM is available. We expect the analysis to finish with no errors.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:maven/private.apache.maven/maven@4.0.0-alpha-1-SNAPSHOT?type=pom
17 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_cyclonedx_sbom_tutorial/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Tutorial test: Analyzing using a CycloneDx SBOM file of a software component.
6 |
7 | tags:
8 | - macaron-python-package
9 | - tutorial
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:maven/org.apache.maven/maven@3.9.7?type=pom
18 | - --deps-depth=1
19 | sbom: sbom.json
20 | - name: Compare dependencies report.
21 | kind: compare
22 | options:
23 | kind: deps_report
24 | result: output/reports/maven/org_apache_maven/maven/dependencies.json
25 | expected: dependencies.json
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_local_path_with_branch_name_digest_deps_cyclonedx_maven/config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [repofinder]
5 | try_latest_purl = False
6 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_sbom/config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [repofinder]
5 | try_latest_purl = False
6 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_sbom_no_repo_tutorial/dependencies.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "id": "com.google.guava:guava",
4 | "purl": "pkg:maven/com.google.guava/guava@30.1-jre?type=jar",
5 | "path": "https://github.com/google/guava",
6 | "branch": "",
7 | "digest": "",
8 | "note": "",
9 | "available": "AVAILABLE"
10 | },
11 | {
12 | "id": "org.mockito:mockito-core",
13 | "purl": "pkg:maven/org.mockito/mockito-core@3.2.0?type=jar",
14 | "path": "https://github.com/mockito/mockito",
15 | "branch": "",
16 | "digest": "",
17 | "note": "",
18 | "available": "AVAILABLE"
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_sbom_no_repo_tutorial/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Tutorial test: Analyzing using a CycloneDx SBOM file of a software component whose repository is not available.
6 |
7 | tags:
8 | - macaron-python-package
9 | - tutorial
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:maven/private.apache.maven/maven@4.0.0-alpha-1-SNAPSHOT?type=pom
18 | - --deps-depth=1
19 | sbom: sbom.json
20 | - name: Compare dependencies report.
21 | kind: compare
22 | options:
23 | kind: deps_report
24 | result: output/reports/maven/private_apache_maven/maven/dependencies.json
25 | expected: dependencies.json
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_using_default_template_file_as_input_template/macaron.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 | Macaron - Report
10 |
11 |
12 |
13 |
16 |
17 | SAMPLE MACARON REPORT CONTENT
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_using_default_template_file_as_input_template/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing with the default template file as the input template.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -rp
16 | - https://github.com/apache/maven
17 | - -b
18 | - master
19 | - -d
20 | - 3fc399318edef0d5ba593723a24fff64291d6f9b
21 | - -g
22 | - macaron.html
23 | - name: Run verify-policy
24 | kind: verify
25 | options:
26 | database: output/macaron.db
27 | policy: maven.dl
28 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_yaml_input_no_deps_and_skip_deps/dependencies.json:
--------------------------------------------------------------------------------
1 | []
2 |
--------------------------------------------------------------------------------
/tests/integration/cases/apache_maven_yaml_input_no_deps_and_skip_deps/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Check the dependency report should be empty when no dependency analysis is enabled.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:maven/org.apache.maven/maven@4.0.0-alpha-9-SNAPSHOT?type=pom
17 | - -rp
18 | - https://github.com/apache/maven
19 | - -d
20 | - 3fc399318edef0d5ba593723a24fff64291d6f9b
21 | - name: Compare dependency report
22 | kind: compare
23 | options:
24 | kind: deps_report
25 | result: output/reports/maven/org_apache_maven/maven/dependencies.json
26 | expected: dependencies.json
27 |
--------------------------------------------------------------------------------
/tests/integration/cases/behnazh-w_example-maven-app-tutorial/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("detect-malicious-upload", component_id, "") :-
7 | is_component(component_id, _),
8 | !violating_dependencies(component_id).
9 |
10 | .decl violating_dependencies(parent: number)
11 | violating_dependencies(parent) :-
12 | transitive_dependency(parent, dependency),
13 | !check_passed(dependency, "mcn_find_artifact_pipeline_1").
14 |
15 | apply_policy_to("detect-malicious-upload", component_id) :-
16 | is_repo(_, "github.com/behnazh-w/example-maven-app", component_id).
17 |
--------------------------------------------------------------------------------
/tests/integration/cases/behnazh-w_example-maven-app-tutorial/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Test the example-maven-app detect-manual-upload-java-dep tutorial scenario.
6 |
7 | tags:
8 | - macaron-python-package
9 | - tutorial
10 | steps:
11 | - name: Run macaron analyze on the remote repository and resolve dependencies.
12 | kind: analyze
13 | options:
14 | command_args:
15 | - --package-url
16 | - pkg:maven/io.github.behnazh-w.demo/example-maven-app@2.0?type=jar
17 | - -rp
18 | - https://github.com/behnazh-w/example-maven-app
19 | - --deps-depth=1
20 | - name: Run macaron verify-policy and expect to fail some deps do not pass the policy.
21 | kind: verify
22 | options:
23 | policy: policy.dl
24 | expect_fail: true
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/behnazh-w_example-maven-app/github_provenance_expectation.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:maven/io.github.behnazh-w.demo/example-maven-app",
3 | predicate: {
4 | buildDefinition: {
5 | externalParameters: {
6 | workflow: {
7 | ref: "refs/heads/main",
8 | repository: "https://github.com/behnazh-w/example-maven-app",
9 | path: ".github/workflows/main.yaml"
10 | }
11 | }
12 | }
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/tests/integration/cases/behnazh-w_example-maven-app/policy_report.json:
--------------------------------------------------------------------------------
1 | {
2 | "component_satisfies_policy": [
3 | [
4 | "1",
5 | "pkg:maven/io.github.behnazh-w.demo/example-maven-app@1.0-SNAPSHOT?type=jar",
6 | "example_maven_app_policy"
7 | ],
8 | [
9 | "2",
10 | "pkg:maven/io.github.behnazh-w.demo/example-maven-app@1.0?type=jar",
11 | "example_maven_app_policy"
12 | ]
13 | ],
14 | "passed_policies": [
15 | [
16 | "example_maven_app_policy"
17 | ]
18 | ],
19 | "component_violates_policy": [],
20 | "failed_policies": []
21 | }
22 |
--------------------------------------------------------------------------------
/tests/integration/cases/behnazh-w_example-maven-app/witness_provenance_expectation.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:maven/io.github.behnazh-w.demo/example-maven-app",
3 | predicate: {
4 | attestations: [
5 | {
6 | type: "https://witness.dev/attestations/git/v0.1",
7 | attestation: {
8 | commithash: "34c06e8ae3811885c57f8bd42db61f37ac57eb6c"
9 | },
10 | },
11 | _,
12 | _,
13 | _,
14 | _
15 | ]
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/tests/integration/cases/check_vsa_sh/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 |
5 | mkdir ./output
6 | cp ../../../../scripts/release_scripts/check_vsa.sh ./output/check_vsa.sh
7 |
--------------------------------------------------------------------------------
/tests/integration/cases/check_vsa_sh_fail/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 |
5 | mkdir ./output
6 | cp ../../../../scripts/release_scripts/check_vsa.sh ./output/check_vsa.sh
7 |
--------------------------------------------------------------------------------
/tests/integration/cases/commit_finder_tag_matching_functionality/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Testing Commit Finder tag matching functionality.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run the test commit finder script
12 | kind: shell
13 | options:
14 | cmd: python commit_finder.py
15 |
--------------------------------------------------------------------------------
/tests/integration/cases/django_invalid_path_to_virtual_env/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the dependencies with an invalid path to the virtual env dir.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:pypi/django@5.0.6
17 | - --python-venv
18 | - invalid-path
19 | expect_fail: true
20 |
--------------------------------------------------------------------------------
/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/check_sourcecode_patterns.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 | result=$(sqlite3 --json output/macaron.db "SELECT detect_malicious_metadata_check.result
5 | FROM detect_malicious_metadata_check JOIN check_facts on detect_malicious_metadata_check.id = check_facts.id
6 | JOIN check_result on check_facts.check_result_id = check_result.id JOIN component
7 | ON component.id = check_result.component_id WHERE check_result.check_id = 'mcn_detect_malicious_metadata_1'
8 | AND component.name = 'django' AND component.version = '5.0.6';" | jq -r ".[0].result | fromjson | .suspicious_patterns")
9 |
10 | if [ "$result" != "PASS" ]; then
11 | echo "ERROR: suspicious_patterns heuristic result $result is not PASS" >&2
12 | exit 1
13 | fi
14 | exit 0
15 |
--------------------------------------------------------------------------------
/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/policy-all-pypi.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("all-pypi", component_id, "Check all the Python packages.") :-
7 | check_passed(component_id, "mcn_detect_malicious_metadata_1").
8 |
9 | apply_policy_to("all-pypi", component_id) :-
10 | is_component(component_id, purl),
11 | match("pkg:pypi.*", purl).
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/policy-recursive-deps-confidence.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("check-dependencies", component_id, "Check the dependencies of django with high confidence.") :-
7 | transitive_dependency(component_id, dependency),
8 | check_passed_with_confidence(component_id, "mcn_detect_malicious_metadata_1", confidence),
9 | check_passed_with_confidence(dependency, "mcn_detect_malicious_metadata_1", confidence),
10 | confidence = 1.
11 |
12 | apply_policy_to("check-dependencies", component_id) :-
13 | is_component(component_id, purl),
14 | match("pkg:pypi/django@.*", purl).
15 |
--------------------------------------------------------------------------------
/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/policy-recursive-deps.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("check-dependencies", component_id, "Check the dependencies of django.") :-
7 | transitive_dependency(component_id, dependency),
8 | check_passed(component_id, "mcn_detect_malicious_metadata_1"),
9 | check_passed(dependency, "mcn_detect_malicious_metadata_1").
10 |
11 | apply_policy_to("check-dependencies", component_id) :-
12 | is_component(component_id, purl),
13 | match("pkg:pypi/django@.*", purl).
14 |
--------------------------------------------------------------------------------
/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/policy-sourcecode.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("check_sourcecode_malware_analysis", component_id, "Checks malware analysis with sourcecode analysis.") :-
7 | check_passed(component_id, "mcn_detect_malicious_metadata_1").
8 |
9 | apply_policy_to("check_sourcecode_malware_analysis", component_id) :-
10 | is_component(component_id, "pkg:pypi/django@5.0.6").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/policy_report.json:
--------------------------------------------------------------------------------
1 | {
2 | "passed_policies": [
3 | [
4 | "check-dependencies"
5 | ]
6 | ],
7 | "component_satisfies_policy": [
8 | [
9 | "1",
10 | "pkg:pypi/django@5.0.6",
11 | "check-dependencies"
12 | ]
13 | ],
14 | "failed_policies": [],
15 | "component_violates_policy": []
16 | }
17 |
--------------------------------------------------------------------------------
/tests/integration/cases/example_maven_app_automatic_dep_resolution_tutorial/dependencies.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "id": "com.google.guava:guava",
4 | "purl": "pkg:maven/com.google.guava/guava@32.1.2-jre?type=jar",
5 | "path": "https://github.com/google/guava",
6 | "branch": "",
7 | "digest": "",
8 | "note": "",
9 | "available": "AVAILABLE"
10 | },
11 | {
12 | "id": "io.github.behnazh-w.demo:jackson-databind",
13 | "purl": "pkg:maven/io.github.behnazh-w.demo/jackson-databind@1.0?type=jar",
14 | "path": "https://github.com/behnazh-w/maven-demo",
15 | "branch": "",
16 | "digest": "",
17 | "note": "",
18 | "available": "AVAILABLE"
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/example_maven_app_automatic_dep_resolution_tutorial/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Tutorial test: testing automatic dependency resolution.
6 |
7 | tags:
8 | - macaron-python-package
9 | - tutorial
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:maven/io.github.behnazh-w.demo/example-maven-app@1.0?type=jar
18 | - -rp
19 | - https://github.com/behnazh-w/example-maven-app
20 | - --deps-depth=1
21 | - name: Compare dependencies report.
22 | kind: compare
23 | options:
24 | kind: deps_report
25 | result: output/reports/maven/io_github_behnazh-w_demo/example-maven-app/dependencies.json
26 | expected: dependencies.json
27 |
--------------------------------------------------------------------------------
/tests/integration/cases/facebook_yoga_yarn_classic/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analysing the repo path, the branch name and the commit digest for a Yarn classic
6 | project, skipping dependency resolution.
7 |
8 | tags:
9 | - macaron-python-package
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -rp
17 | - https://github.com/facebook/yoga
18 | - -b
19 | - main
20 | - -d
21 | - f8e2bc0875c145c429d0e865c9b83a40f65b3070
22 | - name: Run macaron verify-policy to verify passed/failed checks
23 | kind: verify
24 | options:
25 | policy: policy.dl
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/find_source_avaje/avaje-prisms.source.json:
--------------------------------------------------------------------------------
1 | {
2 | "purl": "pkg:maven/io.avaje/avaje-prisms@1.1",
3 | "commit": "1f6f953df0b58f0c35b5e136f62f63ba7a22bc03",
4 | "repo": "https://github.com/avaje/avaje-prisms",
5 | "repo_validated": false,
6 | "commit_validated": false,
7 | "url": "https://github.com/avaje/avaje-prisms/commit/1f6f953df0b58f0c35b5e136f62f63ba7a22bc03"
8 | }
9 |
--------------------------------------------------------------------------------
/tests/integration/cases/find_source_avaje/config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [repofinder]
5 | find_source_should_clone = True
6 |
--------------------------------------------------------------------------------
/tests/integration/cases/find_source_fail/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the find source command on a non-existent repository.
6 |
7 | tags:
8 | - macaron-python-package
9 | - macaron-docker-image
10 |
11 | steps:
12 | - name: Run macaron find source on private repository
13 | kind: find-source
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:maven/com.example/example@1.0.0
18 | - -rp
19 | - https://github.com/oracle/hopefully-this-repository-will-never-exist-0
20 | expect_fail: true
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/github_maven_attestation/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_provenance_available_1").
8 |
9 | apply_policy_to("test_policy", component_id) :-
10 | is_component(component_id, "pkg:maven/io.liftwizard/liftwizard-checkstyle@2.1.22").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/github_maven_attestation/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Discovering attestation of a Maven artifact on GitHub
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:maven/io.liftwizard/liftwizard-checkstyle@2.1.22
17 | - -rp
18 | - https://github.com/liftwizard/liftwizard
19 | - name: Run macaron verify-policy to verify passed/failed checks
20 | kind: verify
21 | options:
22 | policy: policy.dl
23 |
--------------------------------------------------------------------------------
/tests/integration/cases/github_maven_attestation_local/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_failed(component_id, "mcn_provenance_available_1").
8 |
9 | apply_policy_to("test_policy", component_id) :-
10 | is_component(component_id, "pkg:maven/io.liftwizard/liftwizard-checkstyle@2.1.22").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/github_pypi_attestation/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_provenance_available_1").
8 |
9 | apply_policy_to("test_policy", component_id) :-
10 | is_component(component_id, "pkg:pypi/toga@0.4.8").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/github_pypi_attestation/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Discovering attestation of a PyPI artifact on GitHub
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:pypi/toga@0.4.8
17 | - name: Run macaron verify-policy to verify passed/failed checks
18 | kind: verify
19 | options:
20 | policy: policy.dl
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/gitlab_tinyMediaManager/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the repo path and the branch name when automatic dependency resolution is skipped.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -rp
16 | - https://gitlab.com/tinyMediaManager/tinyMediaManager
17 | - -b
18 | - main
19 | - -d
20 | - cca6b67a335074eca42136556f0a321f75dc4f48
21 | - name: Run macaron verify-policy to verify passed/failed checks
22 | kind: verify
23 | options:
24 | policy: policy.dl
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/gitlab_tinyMediaManager_purl/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the purl with a version, and a provided repo with no commit.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:maven/org.tinymediamanager/tinyMediaManager@4.3.13
17 | - -rp
18 | - https://gitlab.com/tinyMediaManager/tinyMediaManager
19 | - -b
20 | - main
21 | - -d
22 | - cca6b67a335074eca42136556f0a321f75dc4f48
23 | - name: Run macaron verify-policy to verify passed/failed checks
24 | kind: verify
25 | options:
26 | policy: policy.dl
27 |
--------------------------------------------------------------------------------
/tests/integration/cases/google_guava/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing with PURL and repository path without dependency resolution.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:maven/com.google.guava/guava@32.1.2-jre?type=jar
17 | - name: Run macaron verify-policy to verify passed/failed checks
18 | kind: verify
19 | options:
20 | policy: policy.dl
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/google_guava_latest/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_version_control_system_1"),
8 | is_repo_url(component_id, "https://github.com/google/guava").
9 |
10 | apply_policy_to("test_policy", component_id) :-
11 | is_component(component_id, "pkg:maven/com.google.guava/guava@14.0.1?type=jar").
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/google_guava_latest/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a PURL that requires fetching the latest version, and the ordering of its versions is atypical
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:maven/com.google.guava/guava@14.0.1?type=jar
17 | - name: Run macaron verify-policy to verify passed/failed checks
18 | kind: verify
19 | options:
20 | policy: policy.dl
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/invalid_branch_or_commit_yaml_input/maven_invalid_branch.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | target:
5 | id: apache/maven
6 | branch: This-branch-does-not-exist
7 | digest: ''
8 | path: https://github.com/apache/maven.git
9 |
--------------------------------------------------------------------------------
/tests/integration/cases/invalid_branch_or_commit_yaml_input/maven_invalid_commit.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | target:
5 | id: apache/maven
6 | branch: ''
7 | digest: This_digest_is_invalid
8 | path: https://github.com/apache/maven.git
9 |
--------------------------------------------------------------------------------
/tests/integration/cases/invalid_branch_or_commit_yaml_input/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Check the e2e status code of running with invalid branch or commit defined in the yaml configuration.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze with yaml input containing invalid branch
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -c
16 | - maven_invalid_branch.yaml
17 | expect_fail: true
18 | - name: Run macaron analyze with yaml input containing invalid commit
19 | kind: analyze
20 | options:
21 | command_args:
22 | - -c
23 | - maven_invalid_commit.yaml
24 | expect_fail: true
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/invalid_provenance_file/invalid_provenance.json:
--------------------------------------------------------------------------------
1 | None
2 |
--------------------------------------------------------------------------------
/tests/integration/cases/invalid_provenance_file/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Test providing an invalid provenance file as input.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | provenance: invalid_provenance.json
15 | command_args:
16 | - -rp
17 | - https://github.com/apache/maven
18 | expect_fail: true
19 |
--------------------------------------------------------------------------------
/tests/integration/cases/invalid_purl/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: >
5 | Test analyzing with invalid PURL
6 |
7 | tags:
8 | - macaron-python-package
9 | - macaron-docker-image
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - --package-url
17 | - invalid-purl
18 | - --repo-path
19 | - https://github.com/apache/maven
20 | expect_fail: true
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/jackson_databind_deps_resolution_with_purl_cyclonedx_maven_plugin/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Checking the resolved dependency output with PURL for cyclonedx maven plugin (default).
6 |
7 | tags:
8 | - macaron-python-package
9 | # Skipped due to https://github.com/oracle/macaron/issues/60.
10 | - skip
11 |
12 | steps:
13 | - name: Run macaron analyze
14 | kind: analyze
15 | options:
16 | command_args:
17 | - -purl
18 | - pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0-rc1
19 | - --deps-depth=1
20 | - name: Compare deps report
21 | kind: compare
22 | options:
23 | kind: deps_report
24 | expected: dependencies.json
25 | result: output/reports/github_com/FasterXML/jackson-databind/dependencies.json
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/jackson_databind_with_purl_and_no_deps/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing using PURL and no dependency resolution.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0-rc1
17 | - name: Run verify-policy
18 | kind: verify
19 | options:
20 | database: output/macaron.db
21 | policy: jackson-databind.dl
22 |
--------------------------------------------------------------------------------
/tests/integration/cases/jenkinsci_plotplugin/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the repo path, the branch name and the commit digest when automatic dependency resolution is skipped.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -rp
16 | - https://github.com/jenkinsci/plot-plugin
17 | - -b
18 | - master
19 | - -d
20 | - 55b059187e252b35ac0d6cb52268833ee1bb7380
21 | - name: Run macaron verify-policy to verify passed/failed checks
22 | kind: verify
23 | options:
24 | policy: policy.dl
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/latest_repo_comparison/check_output.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 |
5 | [[ "$(jq -r '.commit' output/reports/maven/io_avaje/avaje-prisms/avaje-prisms.source.json)" = "1f6f953df0b58f0c35b5e136f62f63ba7a22bc03" ]] &&
6 | [[ "$(jq -r '.repo' output/reports/maven/io_avaje/avaje-prisms/avaje-prisms.source.json)" = "https://github.com/avaje/avaje-prisms" ]]
7 |
--------------------------------------------------------------------------------
/tests/integration/cases/log4j_release_pipeline_deleted_run/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing with PURL and repository path without dependency resolution.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:maven/org.apache.logging.log4j/log4j-core@2.19.0
17 | - name: Run macaron verify-policy to verify passed/failed checks
18 | kind: verify
19 | options:
20 | policy: policy.dl
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/micronaut-projects_micronaut-core/config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [analysis.checks]
5 | exclude =
6 | # Exclude `mcn_provenance_available_1` check for `micronaut-core` integration test
7 | # temporarily because provenances have failed to publish due to an issue in `generator_generic_slsa3.yml@v1.9.0`:
8 | # https://github.com/slsa-framework/slsa-github-generator/issues/3350
9 | mcn_provenance_available_1
10 | include = *
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/micronaut-projects_micronaut-core/policy_report.json:
--------------------------------------------------------------------------------
1 | {
2 | "passed_policies": [
3 | [
4 | "test_deploy_info"
5 | ]
6 | ],
7 | "component_satisfies_policy": [
8 | [
9 | "1",
10 | "pkg:maven/io.micronaut/micronaut-core@4.2.3",
11 | "test_deploy_info"
12 | ]
13 | ],
14 | "failed_policies": [],
15 | "component_violates_policy": []
16 | }
17 |
--------------------------------------------------------------------------------
/tests/integration/cases/micronaut_test_deps_resolution_with_config_cyclonedx_gradle_plugin/dependencies.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "id": "slf4j",
4 | "purl": "",
5 | "path": "https://github.com/qos-ch/slf4j.git",
6 | "branch": "",
7 | "digest": "e9ee55cca93c2bf26f14482a9bdf961c750d2a56",
8 | "note": "",
9 | "available": "AVAILABLE"
10 | },
11 | {
12 | "id": "caffeine",
13 | "purl": "",
14 | "path": "https://github.com/ben-manes/caffeine.git",
15 | "branch": "",
16 | "digest": "05a040c2478341bab8a58a02b3dc1fe14d626d72",
17 | "note": "",
18 | "available": "AVAILABLE"
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/micronaut_test_deps_resolution_with_config_cyclonedx_gradle_plugin/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Checking the resolved dependency output with config for cyclonedx gradle plugin.
6 |
7 | tags:
8 | - macaron-python-package
9 | # Skipped due to https://github.com/oracle/macaron/issues/60.
10 | - skip
11 |
12 | steps:
13 | - name: Run macaron analyze
14 | kind: analyze
15 | options:
16 | command_args:
17 | - -c
18 | - config.yaml
19 | - --deps-depth=1
20 | - name: Compare deps report
21 | kind: compare
22 | options:
23 | kind: deps_report
24 | expected: dependencies.json
25 | result: output/reports/github_com/micronaut-projects/micronaut-test/dependencies.json
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/missing_template_file/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Test using a custom template file that does not exist.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -rp
16 | - https://github.com/apache/maven
17 | - -g
18 | - does/not/exist
19 | expect_fail: true
20 |
--------------------------------------------------------------------------------
/tests/integration/cases/no_branch_or_commit/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: >
5 | Test analyzing with both PURL and repository path but no branch or commit is provided
6 |
7 | tags:
8 | - macaron-python-package
9 | - macaron-docker-image
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - --package-url
17 | - pkg:maven/apache/maven
18 | - --repo-path
19 | - https://github.com/apache/maven
20 | expect_fail: true
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/no_github_token/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Test running the analysis without setting the GITHUB_TOKEN environment variables.
6 |
7 | tags:
8 | - macaron-python-package
9 | - macaron-docker-image
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - --repo-path
17 | - https://github.com/apache/maven
18 | env:
19 | GITHUB_TOKEN:
20 | expect_fail: true
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/onu-ui_onu-ui_pnpm/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analysing the repo path, the branch name and the commit digest for a pnpm project,
6 | skipping dependency resolution.
7 |
8 | tags:
9 | - macaron-python-package
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -rp
17 | - https://github.com/onu-ui/onu-ui
18 | - -b
19 | - main
20 | - -d
21 | - e3f2825c3940002a920d65476116a64684b3d95e
22 | - name: Run macaron verify-policy to verify passed/failed checks
23 | kind: verify
24 | options:
25 | policy: policy.dl
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/oracle-macaron/check_results_policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_githubactions_vulnerabilities_1").
8 |
9 | apply_policy_to("test_policy", component_id) :-
10 | is_component(component_id, purl),
11 | match("pkg:github.com/oracle/macaron@.*", purl).
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/oracle-macaron/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the main branch of the Macaron repo to detect vulnerable GitHub Actions.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -rp
16 | - https://github.com/oracle/macaron
17 | - -b
18 | - main
19 | - name: Run macaron verify-policy to verify passed/failed checks
20 | kind: verify
21 | options:
22 | policy: check_results_policy.dl
23 |
--------------------------------------------------------------------------------
/tests/integration/cases/org_apache_dubbo_dubbo-rpc-memcached/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing with PURL and repository path without dependency resolution.
6 |
7 | tags:
8 | - macaron-python-package
9 | - tutorial
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:maven/org.apache.dubbo/dubbo-rpc-memcached@2.7.7
18 | - name: Run macaron verify-policy to verify passed/failed checks
19 | kind: verify
20 | options:
21 | policy: policy.dl
22 |
--------------------------------------------------------------------------------
/tests/integration/cases/org_apache_logging_log4j/policy_repo_url.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_githubactions_vulnerabilities_1").
8 |
9 | apply_policy_to("test_policy", component_id) :-
10 | is_repo_url(component_id, "https://github.com/apache/logging-log4j2").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/ossf_scorecard/config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [analysis.checks]
5 | exclude =
6 | include =
7 | mcn_provenance_expectation_1
8 | mcn_provenance_verified_1
9 | mcn_trusted_builder_level_three_1
10 |
--------------------------------------------------------------------------------
/tests/integration/cases/ossf_scorecard/expectation.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:github/ossf/scorecard",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/ossf/scorecard@refs/tags/v[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/goreleaser.yaml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/ossf_scorecard/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_provenance_available_1"),
8 | check_passed(component_id, "mcn_provenance_expectation_1"),
9 | provenance_verified_check(_, build_level, _),
10 | build_level = 3,
11 | check_passed(component_id, "mcn_trusted_builder_level_three_1"),
12 | check_passed(component_id, "mcn_version_control_system_1"),
13 | is_repo_url(component_id, "https://github.com/ossf/scorecard").
14 |
15 | apply_policy_to("test_policy", component_id) :-
16 | is_component(component_id, "pkg:github/ossf/scorecard@v4.13.1").
17 |
--------------------------------------------------------------------------------
/tests/integration/cases/ossf_scorecard/policy_report.json:
--------------------------------------------------------------------------------
1 | {
2 | "component_satisfies_policy": [
3 | [
4 | "1",
5 | "pkg:github/ossf/scorecard@v4.13.1",
6 | "auth-provenance"
7 | ]
8 | ],
9 | "passed_policies": [
10 | [
11 | "auth-provenance"
12 | ]
13 | ],
14 | "component_violates_policy": [],
15 | "failed_policies": []
16 | }
17 |
--------------------------------------------------------------------------------
/tests/integration/cases/ossf_scorecard/vsa_policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 |
5 | #include "prelude.dl"
6 |
7 | Policy("auth-provenance", component_id, "") :-
8 | check_passed(component_id, "mcn_provenance_verified_1"),
9 | provenance_verified_check(_, build_level, _),
10 | build_level = 3.
11 |
12 | apply_policy_to("auth-provenance", component_id) :-
13 | is_component(component_id, "pkg:github/ossf/scorecard@v4.13.1").
14 |
--------------------------------------------------------------------------------
/tests/integration/cases/provenance_available/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_provenance_available_1"),
8 | provenance_available_check(_, asset_name, asset_url),
9 | asset_name = "toga",
10 | asset_url = "https://pypi.org/integrity/toga/0.5.1/toga-0.5.1-py3-none-any.whl/provenance",
11 | provenance(_, component_id, _, slsa_level, _, repo_url, commit_sha, _, asset_name, asset_url, _),
12 | slsa_level = 2,
13 | repo_url = "https://github.com/beeware/toga",
14 | commit_sha = "ef1912b0a1b5c07793f9aa372409f5b9d36f2604".
15 |
16 | apply_policy_to("test_policy", component_id) :-
17 | is_component(component_id, "pkg:pypi/toga@0.5.1").
18 |
--------------------------------------------------------------------------------
/tests/integration/cases/provenance_available/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a PyPI PURL that has provenance available on the PyPI registry.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:pypi/toga@0.5.1
17 | - name: Run macaron verify-policy to verify passed/failed checks
18 | kind: verify
19 | options:
20 | policy: policy.dl
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/purl_of_nonexistent_artifact/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing purl of nonexistent artifact.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:maven/com.example/nonexistent@1.0.0
17 | - name: Run macaron verify-policy
18 | kind: verify
19 | options:
20 | main_args:
21 | - --verbose
22 | policy: policy.dl
23 |
--------------------------------------------------------------------------------
/tests/integration/cases/pypi_attestation_discovery/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_provenance_verified_1"),
8 | check_passed(component_id, "mcn_provenance_available_1"),
9 | check_passed(component_id, "mcn_provenance_derived_repo_1"),
10 | check_passed(component_id, "mcn_provenance_derived_commit_1").
11 |
12 | apply_policy_to("test_policy", component_id) :-
13 | is_component(component_id, "pkg:pypi/ultralytics@8.3.70").
14 |
--------------------------------------------------------------------------------
/tests/integration/cases/pypi_attestation_discovery/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a PyPI PURL that has provenance available on the PyPI registry.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:pypi/ultralytics@8.3.70
17 | - name: Run macaron verify-policy to verify passed/failed checks
18 | kind: verify
19 | options:
20 | policy: policy.dl
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/repo_finder_pypi/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_version_control_system_1").
8 |
9 | apply_policy_to("test_policy", component_id) :-
10 | is_component(component_id, "pkg:pypi/torch@2.6.0").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/repo_finder_pypi/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a PyPI PURL that is not correctly found by deps.dev and must be sought on the package registry directly.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:pypi/torch@2.6.0
17 | - name: Run macaron verify-policy to verify passed/failed checks
18 | kind: verify
19 | options:
20 | policy: policy.dl
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/repo_finder_pypi_find_source/torch.source.json:
--------------------------------------------------------------------------------
1 | {
2 | "purl": "pkg:pypi/torch@2.6.0",
3 | "commit": "1eba9b3aa3c43f86f4a2c807ac8e12c4a7767340",
4 | "repo": "https://github.com/pytorch/pytorch",
5 | "repo_validated": false,
6 | "commit_validated": false,
7 | "url": "https://github.com/pytorch/pytorch/commit/1eba9b3aa3c43f86f4a2c807ac8e12c4a7767340"
8 | }
9 |
--------------------------------------------------------------------------------
/tests/integration/cases/repo_finder_remote_calls/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Testing Repo Finder functionality.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run the test repo finder script
12 | kind: shell
13 | options:
14 | cmd: python repo_finder.py
15 |
--------------------------------------------------------------------------------
/tests/integration/cases/run_macaron_sh_script_unit_test/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 |
5 | mkdir ./output
6 | cp ../../../../scripts/release_scripts/run_macaron.sh ./output/run_macaron.sh
7 |
--------------------------------------------------------------------------------
/tests/integration/cases/run_macaron_sh_script_unit_test/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Run unit tests for the run_macaron.sh script
6 |
7 | tags:
8 | - macaron-docker-image
9 |
10 | steps:
11 | - name: Copy the run_macaron.sh from the source repo to ./output which will eventually be cleaned up.
12 | kind: shell
13 | options:
14 | cmd: ./setup.sh
15 | - name: Run test_run_macaron_sh.py
16 | kind: shell
17 | options:
18 | cmd: python ./test_run_macaron_sh.py
19 |
--------------------------------------------------------------------------------
/tests/integration/cases/run_macaron_sh_with_invalid_docker_pull_env/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Making sure run_macaron.sh clean up the token file when it exits because DOCKER_PULL is set to an invalid value.
6 |
7 | tags:
8 | - macaron-docker-image
9 |
10 | steps:
11 | - name: Run run_macaron.sh.py with DOCKER_PULL set to invalid value.
12 | kind: analyze
13 | env:
14 | DOCKER_PULL: invalid_value
15 | options:
16 | command_args:
17 | - --version
18 | expect_fail: true
19 | - name: Check the token file doesn't exist.
20 | kind: shell
21 | options:
22 | cmd: ls .macaron_env_file
23 | expect_fail: true
24 |
--------------------------------------------------------------------------------
/tests/integration/cases/scm_authenticity/config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [analysis.checks]
5 | exclude =
6 | include = mcn_scm_authenticity_1
7 |
--------------------------------------------------------------------------------
/tests/integration/cases/scm_authenticity/policy_fail_1.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_failed(component_id, "mcn_scm_authenticity_1").
8 |
9 | apply_policy_to("test_policy", component_id) :-
10 | is_component(component_id, "pkg:maven/com.alibaba.ververica/flink-cep@1.17-vvr-8.0.8").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/scm_authenticity/policy_pass_1.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_scm_authenticity_1").
8 |
9 | apply_policy_to("test_policy", component_id) :-
10 | is_component(component_id, "pkg:maven/org.antlr/antlr4-maven-plugin@4.13.2").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/scm_authenticity/policy_pass_2.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_scm_authenticity_1").
8 |
9 | apply_policy_to("test_policy", component_id) :-
10 | is_component(component_id, "pkg:maven/org.neo4j/cypher-parser-common@5.21.2").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/semver/config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [repofinder]
5 | find_repos = False
6 |
--------------------------------------------------------------------------------
/tests/integration/cases/semver/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Extracting repository URL and commit from provenance while Repo Finder is disabled.
6 |
7 | tags:
8 | - macaron-python-package
9 | - npm-registry-testcase
10 | - tutorial
11 |
12 | steps:
13 | - name: Run macaron analyze
14 | kind: analyze
15 | options:
16 | ini: config.ini
17 | command_args:
18 | - -purl
19 | - pkg:npm/semver@7.6.2
20 | - --verify-provenance
21 | - name: Run macaron verify-policy to verify passed/failed checks
22 | kind: verify
23 | options:
24 | policy: policy.dl
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/sigstore_mock/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the PURL when automatic dependency resolution is skipped.
6 |
7 | tags:
8 | - macaron-python-package
9 | - npm-registry-testcase
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:npm/@sigstore/mock@0.1.0
18 | - -rp
19 | - https://github.com/sigstore/sigstore-js
20 | - -b
21 | - main
22 | - -d
23 | - ebdcfdfbdfeb9c9aeee6df53674ef230613629f5
24 | - --verify-provenance
25 | - name: Run macaron verify-policy to verify passed/failed checks
26 | kind: verify
27 | options:
28 | policy: policy.dl
29 |
--------------------------------------------------------------------------------
/tests/integration/cases/sigstore_sget/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analysing the repo path, the branch name and the
6 | commit digest for a Go project, skipping dependency resolution.
7 |
8 | tags:
9 | - macaron-python-package
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -rp
17 | - https://github.com/sigstore/sget
18 | - -b
19 | - main
20 | - -d
21 | - 99e7b91204d391ccc76507f7079b6d2a7957489e
22 | - name: Run macaron verify-policy to verify passed/failed checks
23 | kind: verify
24 | options:
25 | policy: policy.dl
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/slsa-framework_slsa-verifier/expectation.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:github.com/slsa-framework/slsa-verifier",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/slsa-framework/slsa-verifier@refs/tags/v[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/release.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/slsa-framework_slsa-verifier/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Test CUE provenance expectation check and policy verification.
6 |
7 | tags:
8 | - macaron-python-package
9 | - macaron-docker-image
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | expectation: expectation.cue
16 | command_args:
17 | - -rp
18 | - https://github.com/slsa-framework/slsa-verifier
19 | - -b
20 | - main
21 | - -d
22 | - e6428d7da594455a4c2b7f24907fec421a5e0e95
23 | - name: Run macaron verify-policy to verify passed/failed checks
24 | kind: verify
25 | options:
26 | policy: policy.dl
27 |
--------------------------------------------------------------------------------
/tests/integration/cases/slsa-framework_slsa-verifier_explicit_provenance_provided/expectation.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:github.com/slsa-framework/slsa-verifier",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/slsa-framework/slsa-verifier@refs/tags/v[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/release.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/slsa-framework_slsa-verifier_explicit_provenance_provided/url_link_config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [slsa.verifier]
5 | url_link_hostname_allowlist =
6 | github.com
7 |
8 | [analysis.checks]
9 | exclude = mcn_provenance_level_three_1
10 | include = *
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/snakeyaml_unsupported_git_service/config.ini:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [git_service.local_repo]
5 | hostname = bitbucket.org
6 |
--------------------------------------------------------------------------------
/tests/integration/cases/tautoak4-hello-world/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("check-malicious-package", component_id, "Check the malicious package.") :-
7 | check_failed(component_id, "mcn_detect_malicious_metadata_1").
8 |
9 | apply_policy_to("check-malicious-package", component_id) :-
10 | is_component(component_id, "pkg:npm/tautoak4-hello-world").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/tautoak4-hello-world/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a known malicious package.
6 |
7 | tags:
8 | - macaron-python-package
9 | - macaron-docker-image
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:npm/tautoak4-hello-world
18 | - name: Run macaron verify-policy to verify that the malicious metadata check fails.
19 | kind: verify
20 | options:
21 | policy: policy.dl
22 |
--------------------------------------------------------------------------------
/tests/integration/cases/test_analyzing_an_invalid_local_repo_path/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing an invalid local repo path.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | main_args:
15 | - -lr
16 | - ./output/git_repos/github_com
17 | command_args:
18 | - -rp
19 | - path/to/invalid/repo
20 | expect_fail: true
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/test_not_pulling_from_remote_for_a_local_repo/test.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 |
5 | # When we run the analysis, because we are providing a local repo path, Macaron is not supposed to pull the
6 | # latest changes (i.e the second commit of SOURCE_REPO) into TARGET_REPO.
7 | # Therefore, this analysis is expected to fail because the commit HEAD_COMMIT_SHA does not exist in TARGET_REPO.
8 | HEAD_COMMIT_SHA=$(cat target_commit_sha.txt)
9 | macaron -lr ./output/git_repos/local_repos/ analyze -rp target -d "$HEAD_COMMIT_SHA"
10 |
--------------------------------------------------------------------------------
/tests/integration/cases/test_not_pulling_from_remote_for_a_local_repo/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Test not pulling from remote for a locally cloned repo.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Preparing the testing environments
12 | kind: shell
13 | options:
14 | cmd: ./setup.sh
15 | expect_fail: false
16 | # We need to run this test case inside a shell script because we need to obtain the commit hash to analyze,
17 | # which is not fixed every run.
18 | - name: Run macaron analyze
19 | kind: shell
20 | options:
21 | cmd: ./test.sh
22 | expect_fail: true
23 | - name: Clean up the target_commit_sha.txt file
24 | kind: shell
25 | options:
26 | cmd: rm -f target_commit_sha.txt
27 | expect_fail: false
28 |
--------------------------------------------------------------------------------
/tests/integration/cases/test_using_a_repo_path_outside_of_local_repos_dir/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a local repository whose path is outside of local_repos directory.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Prepare the local repo directory.
12 | kind: shell
13 | options:
14 | cmd: mkdir -p ./output/git_repos/local_repos
15 | - name: Run macaron analyze
16 | kind: analyze
17 | options:
18 | main_args:
19 | - -lr
20 | - ./output/git_repos/local_repos/
21 | command_args:
22 | - -rp
23 | - ../
24 | expect_fail: true
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/test_using_invalid_local_repos_dir/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing with an invalid local repos directory.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | main_args:
15 | - -lr
16 | - ./output/invalid_dir_should_fail
17 | command_args:
18 | - -rp
19 | - apache/maven
20 | expect_fail: true
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/test_using_local_repo_with_no_commit/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 |
5 | mkdir -p output/git_repos/local_repos/empty_repo
6 | cd output/git_repos/local_repos/empty_repo || exit 1
7 | git init
8 |
--------------------------------------------------------------------------------
/tests/integration/cases/test_using_local_repo_with_no_commit/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a local repository with no commit.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Prepare the local repo
12 | kind: shell
13 | options:
14 | cmd: ./setup.sh
15 | - name: Run macaron analyze
16 | kind: analyze
17 | options:
18 | main_args:
19 | - -lr
20 | - output/git_repos/local_repos
21 | command_args:
22 | - -rp
23 | - empty_repo
24 | expect_fail: true
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/timyarkov_docker_test/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the repo path, the branch name and the commit digest when automatic dependency resolution
6 | is skipped, for a project using docker as a build tool.
7 |
8 | tags:
9 | - macaron-python-package
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -rp
17 | - https://github.com/timyarkov/docker_test
18 | - -b
19 | - main
20 | - -d
21 | - 404a51a2f38c4470af6b32e4e00b5318c2d7c0cc
22 | - name: Run macaron verify-policy to verify passed/failed checks
23 | kind: verify
24 | options:
25 | policy: policy.dl
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/timyarkov_multibuild_test_gradle/dependencies.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "id": "org.springframework.boot:spring-boot-starter-thymeleaf",
4 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@3.0.0?type=jar",
5 | "path": "https://github.com/spring-projects/spring-boot",
6 | "branch": "",
7 | "digest": "",
8 | "note": "",
9 | "available": "AVAILABLE"
10 | },
11 | {
12 | "id": "org.springframework.boot:spring-boot-starter-web",
13 | "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-web@3.0.0?type=jar",
14 | "path": "https://github.com/spring-projects/spring-boot",
15 | "branch": "",
16 | "digest": "",
17 | "note": "https://github.com/spring-projects/spring-boot is already analyzed.",
18 | "available": "DUPLICATED REPO URL"
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/timyarkov_multibuild_test_maven/dependencies.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "id": "com.google.code.gson:gson",
4 | "purl": "pkg:maven/com.google.code.gson/gson@2.10.1?type=jar",
5 | "path": "https://github.com/google/gson",
6 | "branch": "",
7 | "digest": "",
8 | "note": "",
9 | "available": "AVAILABLE"
10 | }
11 | ]
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_6_2.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("has-verified-provenance", component_id, "Require a verified provenance file.") :-
7 | check_passed(component_id, "mcn_provenance_derived_repo_1"),
8 | check_passed(component_id, "mcn_provenance_derived_commit_1"),
9 | check_passed(component_id, "mcn_provenance_verified_1").
10 |
11 | apply_policy_to("has-verified-provenance", component_id) :-
12 | is_component(component_id, "pkg:npm/semver@7.6.2").
13 |
--------------------------------------------------------------------------------
/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_6_x.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("has-verified-provenance", component_id, "Require a verified provenance file.") :-
7 | check_passed(component_id, "mcn_provenance_derived_repo_1"),
8 | check_passed(component_id, "mcn_provenance_derived_commit_1"),
9 | check_passed(component_id, "mcn_provenance_verified_1").
10 |
11 | apply_policy_to("has-verified-provenance", component_id) :-
12 | is_component(component_id, purl),
13 | match("pkg:npm/semver@7.6.*", purl).
14 |
--------------------------------------------------------------------------------
/tests/integration/cases/tutorial_source_finder/check_output.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 |
5 | [[ "$(jq -r '.commit' output/reports/npm/semver/semver.source.json)" = "eb1380b1ecd74f6572831294d55ef4537dfe1a2a" ]] &&
6 | [[ "$(jq -r '.repo' output/reports/npm/semver/semver.source.json)" = "https://github.com/npm/node-semver" ]]
7 |
--------------------------------------------------------------------------------
/tests/integration/cases/tutorial_source_finder/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Performing the examples provided within the related tutorial.
6 |
7 | tags:
8 | - tutorial
9 |
10 | steps:
11 | - name: Run macaron find source
12 | kind: find-source
13 | options:
14 | command_args:
15 | - -purl
16 | - pkg:npm/semver@7.6.2
17 | - name: Check the report contents
18 | kind: shell
19 | options:
20 | cmd: ./check_output.sh
21 |
--------------------------------------------------------------------------------
/tests/integration/cases/type-extension/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("check-malicious-package", component_id, "Check the malicious package.") :-
7 | check_failed(component_id, "mcn_detect_malicious_metadata_1").
8 |
9 | apply_policy_to("check-malicious-package", component_id) :-
10 | is_component(component_id, "pkg:pypi/type-extension").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/type-extension/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a known malicious package.
6 |
7 | tags:
8 | - macaron-python-package
9 | - macaron-docker-image
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:pypi/type-extension
18 | - name: Run macaron verify-policy to verify that the malicious metadata check fails.
19 | kind: verify
20 | options:
21 | policy: policy.dl
22 |
--------------------------------------------------------------------------------
/tests/integration/cases/uiv-lib_uiv/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analysing the repo path, the branch name and the commit digest for an npm project,
6 | skipping dependency resolution.
7 |
8 | tags:
9 | - macaron-python-package
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -rp
17 | - https://github.com/uiv-lib/uiv
18 | - -b
19 | - dev
20 | - -d
21 | - 057b25b4db0913edab4cf728c306085e6fc20d49
22 | - name: Run macaron verify-policy to verify passed/failed checks
23 | kind: verify
24 | options:
25 | policy: policy.dl
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/ultralytics/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("check-malicious-package", component_id, "Check the malicious package.") :-
7 | check_passed(component_id, "mcn_detect_malicious_metadata_1").
8 |
9 | apply_policy_to("check-malicious-package", component_id) :-
10 | is_component(component_id, "pkg:pypi/ultralytics").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/ultralytics/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a popular package that some of its versions are compromised.
6 |
7 | tags:
8 | - macaron-python-package
9 | - macaron-docker-image
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:pypi/ultralytics
18 | - name: Run macaron verify-policy to verify that the malicious metadata check passes.
19 | kind: verify
20 | options:
21 | policy: policy.dl
22 |
--------------------------------------------------------------------------------
/tests/integration/cases/ultralytics_8.3.46/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("check-malicious-package", component_id, "Check the malicious package.") :-
7 | check_failed(component_id, "mcn_detect_malicious_metadata_1").
8 |
9 | apply_policy_to("check-malicious-package", component_id) :-
10 | is_component(component_id, "pkg:pypi/ultralytics@8.3.46").
11 |
--------------------------------------------------------------------------------
/tests/integration/cases/ultralytics_8.3.46/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing a known malicious package.
6 |
7 | tags:
8 | - macaron-python-package
9 | - macaron-docker-image
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -purl
17 | - pkg:pypi/ultralytics@8.3.46
18 | - name: Run macaron verify-policy to verify that the malicious metadata check fails.
19 | kind: verify
20 | options:
21 | policy: policy.dl
22 |
--------------------------------------------------------------------------------
/tests/integration/cases/update_local_repositories/modify_clone.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 |
5 | cd output/git_repos/github_com/avaje/avaje-prisms
6 | git tag --delete avaje-prisms-1.1
7 |
--------------------------------------------------------------------------------
/tests/integration/cases/update_local_repositories/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_passed(component_id, "mcn_version_control_system_1"),
8 | is_repo_url(component_id, "https://github.com/avaje/avaje-prisms").
9 |
10 | apply_policy_to("test_policy", component_id) :-
11 | is_component(component_id, "pkg:maven/io.avaje/avaje-prisms@1.1").
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/urllib3_expectation_dir/expectation/expectation.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:pypi/urllib3",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/urllib3/urllib3@refs/tags/v?[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/publish.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/urllib3_expectation_dir/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the repo path when automatic dependency resolution is skipped.
6 | The CUE expectation file should be found via the directory path.
7 |
8 | tags:
9 | - macaron-python-package
10 | - macaron-docker-image
11 |
12 | steps:
13 | - name: Run macaron analyze with expectation directory
14 | kind: analyze
15 | options:
16 | command_args:
17 | - -purl
18 | - pkg:pypi/urllib3@2.0.0a1
19 | - --provenance-expectation
20 | - expectation
21 | - --verify-provenance
22 | - name: Run macaron verify-policy to verify passed/failed checks
23 | kind: verify
24 | options:
25 | policy: policy.dl
26 |
--------------------------------------------------------------------------------
/tests/integration/cases/urllib3_expectation_file/expectation.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:pypi/urllib3",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/urllib3/urllib3@refs/tags/v?[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/publish.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/urllib3_expectation_file/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the repo path when automatic dependency resolution is skipped.
6 | The CUE expectation file is provided as a single file path.
7 |
8 | tags:
9 | - macaron-python-package
10 | - macaron-docker-image
11 |
12 | steps:
13 | - name: Run macaron analyze with expectation file
14 | kind: analyze
15 | options:
16 | expectation: expectation.cue
17 | command_args:
18 | - -purl
19 | - pkg:pypi/urllib3@2.0.0a1
20 | - --verify-provenance
21 | - name: Run macaron verify-policy to verify passed/failed checks
22 | kind: verify
23 | options:
24 | policy: policy.dl
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/urllib3_invalid_expectation/invalid_expectation.cue:
--------------------------------------------------------------------------------
1 | INVALID
2 |
--------------------------------------------------------------------------------
/tests/integration/cases/urllib3_invalid_expectation/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analyzing the repo path when automatic dependency resolution is skipped.
6 | The CUE expectation file is invalid.
7 |
8 | tags:
9 | - macaron-python-package
10 | - macaron-docker-image
11 |
12 | steps:
13 | - name: Run macaron analyze with invalid expectation file
14 | kind: analyze
15 | options:
16 | expectation: invalid_expectation.cue
17 | command_args:
18 | - -purl
19 | - pkg:pypi/urllib3@2.0.0a1
20 | - --verify-provenance
21 | - name: Run macaron verify-policy to verify passed/failed checks
22 | kind: verify
23 | options:
24 | policy: policy.dl
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/urllib3_no_tag/policy.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | #include "prelude.dl"
5 |
6 | Policy("test_policy", component_id, "") :-
7 | check_failed(component_id, "mcn_provenance_available_1"),
8 | is_repo_url(component_id, "https://github.com/urllib3/urllib3").
9 |
10 | apply_policy_to("test_policy", component_id) :-
11 | is_component(component_id, "pkg:github.com/urllib3/urllib3@87a0ecee6e691fe5ff93cd000c0158deebef763b").
12 |
--------------------------------------------------------------------------------
/tests/integration/cases/urllib3_no_tag/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Testing the outcome of the provenance available check when the provided commit does not match a tag.
6 |
7 | tags:
8 | - macaron-python-package
9 |
10 | steps:
11 | - name: Run macaron analyze
12 | kind: analyze
13 | options:
14 | command_args:
15 | - --repo-path
16 | - https://github.com/urllib3/urllib3
17 | - --branch
18 | - main
19 | - --digest
20 | - 87a0ecee6e691fe5ff93cd000c0158deebef763b
21 | - name: Run macaron verify-policy to verify failed check
22 | kind: verify
23 | options:
24 | policy: policy.dl
25 |
--------------------------------------------------------------------------------
/tests/integration/cases/wojtekmaj_reactpdf_yarn_modern/test.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | description: |
5 | Analysing the repo path, the branch name and the commit digest for a Yarn modern
6 | project, skipping dependency resolution.
7 |
8 | tags:
9 | - macaron-python-package
10 |
11 | steps:
12 | - name: Run macaron analyze
13 | kind: analyze
14 | options:
15 | command_args:
16 | - -rp
17 | - https://github.com/wojtekmaj/react-pdf
18 | - -b
19 | - main
20 | - -d
21 | - be18436b7be827eb993b2e1e4bd9230dd835a9a3
22 | - name: Run macaron verify-policy to verify passed/failed checks
23 | kind: verify
24 | options:
25 | policy: policy.dl
26 |
--------------------------------------------------------------------------------
/tests/malware_analyzer/pypi/resources/custom_sample.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # This is a sample file designed to ensure the functionality for providing
5 | # custom Semgrep rules works as expected
6 |
7 | rules:
8 | - id: custom_sample_1
9 | metadata:
10 | description: Detects the statement for disabling exports
11 | message: Detected disabling of exports
12 | languages:
13 | - python
14 | severity: ERROR
15 | pattern: __all__ = []
16 | - id: custom_sample_2
17 | metadata:
18 | description: Detects sys.exit()
19 | message: Detected sys.exit()
20 | languages:
21 | - python
22 | severity: ERROR
23 | pattern: sys.exit()
24 |
--------------------------------------------------------------------------------
/tests/malware_analyzer/pypi/resources/sourcecode_samples/exfiltration/expected_results.json:
--------------------------------------------------------------------------------
1 | {
2 | "enabled_sourcecode_rule_findings": {
3 | "src.macaron.resources.pypi_malware_rules.exfiltration_remote-exfiltration": {
4 | "message": "Detected exfiltration of sensitive data to a remote endpoint",
5 | "detections": [
6 | {
7 | "file": "exfiltration/remote_exfiltration.py",
8 | "start": 31,
9 | "end": 31
10 | },
11 | {
12 | "file": "exfiltration/remote_exfiltration.py",
13 | "start": 42,
14 | "end": 42
15 | },
16 | {
17 | "file": "exfiltration/remote_exfiltration.py",
18 | "start": 50,
19 | "end": 50
20 | }
21 | ]
22 | }
23 | },
24 | "disabled_sourcecode_rule_findings": {}
25 | }
26 |
--------------------------------------------------------------------------------
/tests/output_reporter/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/parsers/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/parsers/actionparser/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/parsers/actionparser/resources/workflow_files/invalid.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | This is an invalid workflow.
5 |
--------------------------------------------------------------------------------
/tests/parsers/bashparser/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/parsers/bashparser/resources/bash_files/invalid.sh:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | #! bin/bash
5 |
6 | { invalid: invalid }
7 |
--------------------------------------------------------------------------------
/tests/parsers/bashparser/resources/bash_files/path_traversal.sh:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | ../../../../../../script.sh
5 |
--------------------------------------------------------------------------------
/tests/parsers/bashparser/resources/bash_files/recursive.sh:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | recursive.sh
5 |
--------------------------------------------------------------------------------
/tests/parsers/bashparser/resources/bash_files/valid_github_action_bash.sh:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # This is a valid GitHub Actions expression.
5 | echo "hash=${{ steps.compute-hash.outputs.hash }}" >> "$GITHUB_OUTPUT"
6 |
7 | # These may not be valid GitHub Actions expressions but we want to make
8 | # sure we can handle such cases using greedy regex matching.
9 | echo "hash=${{ ${{ FOO }} }}"
10 | echo "hash=${{ ${ FOO } }}"
11 | echo "hash=${{ $FOO }}"
12 | echo "hash=${{ {FOO} }}"
13 | echo "hash=${{}}"
14 | git tag -m "Release milestone ${{ needs.prepare.outputs.fullVersion }}" v${{ needs.prepare.outputs.fullVersion }} ${{ github.sha }}
15 |
--------------------------------------------------------------------------------
/tests/parsers/bashparser/resources/expected_results/valid_github_action_bash.json:
--------------------------------------------------------------------------------
1 | {
2 | "commands": [
3 | [
4 | "echo",
5 | "\"hash=$MACARON_UNKNOWN\""
6 | ],
7 | [
8 | "echo",
9 | "\"hash=$MACARON_UNKNOWN }}\""
10 | ],
11 | [
12 | "echo",
13 | "\"hash=$MACARON_UNKNOWN\""
14 | ],
15 | [
16 | "echo",
17 | "\"hash=$MACARON_UNKNOWN\""
18 | ],
19 | [
20 | "echo",
21 | "\"hash=$MACARON_UNKNOWN\""
22 | ],
23 | [
24 | "echo",
25 | "\"hash=$MACARON_UNKNOWN\""
26 | ],
27 | [
28 | "git",
29 | "tag",
30 | "-m",
31 | "\"Release milestone $MACARON_UNKNOWN\"",
32 | "v$MACARON_UNKNOWN",
33 | "$MACARON_UNKNOWN"
34 | ]
35 | ]
36 | }
37 |
--------------------------------------------------------------------------------
/tests/parsers/yaml/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/parsers/yaml/resources/invalid.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # Not a valid yaml file.
5 | null:
6 |
--------------------------------------------------------------------------------
/tests/parsers/yaml/resources/not_valid_against_schema.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # This is a valid yaml and match the schema.
5 |
6 | target:
7 | id: id
8 | path: https://github.com/owner/name.git
9 | branch: master
10 | digest: aac3b3bcb608e1e8451d4beedd38ecbe6306e7e7
11 |
12 | dependencies:
13 | - id: id
14 | path: https://github.com/owner/name.git
15 | branch: master
16 | digest: aac3b3bcb608e1e8451d4beedd38ecbe6306e7e7
17 | - id: id
18 | path: https://github.com/owner/name.git
19 | branch: master
20 | digest: aac3b3bcb608e1e8451d4beedd38ecbe6306e7e7
21 |
--------------------------------------------------------------------------------
/tests/parsers/yaml/resources/schema.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
4 |
5 | # The main target of the analysis
6 | target: include('analyze_target', required=True)
7 |
8 | # The list of direct dependencies
9 | dependencies: list(include('analyze_target'), min=0, required=False)
10 |
11 | ---
12 | analyze_target:
13 | id: str(required=True)
14 |
15 | # The url of the remote repository or a local path
16 | path: str(required=True)
17 |
18 | # Optional, if not specified we use the default branch
19 | branch: str(required=False)
20 |
21 | # Optional, if not specified we use the latest commit
22 | digest: str(required=False)
23 |
--------------------------------------------------------------------------------
/tests/parsers/yaml/resources/valid_against_schema.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # This is a valid yaml file, but the content does not match the schema.
5 |
6 | target:
7 | # Missing id and path.
8 | branch: master
9 | digest: aac3b3bcb608e1e8451d4beedd38ecbe6306e7e7
10 |
--------------------------------------------------------------------------------
/tests/policy_engine/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/policy_engine/expected_results/policy_report.json:
--------------------------------------------------------------------------------
1 | {
2 | "passed_policies": [
3 | [
4 | "auth-provenance"
5 | ]
6 | ],
7 | "failed_policies": [],
8 | "component_violates_policy": [],
9 | "component_satisfies_policy": [
10 | [
11 | "121",
12 | "pkg:github.com/slsa-framework/slsa-verifier@fc50b662fcfeeeb0e97243554b47d9b20b14efac",
13 | "auth-provenance"
14 | ]
15 | ]
16 | }
17 |
--------------------------------------------------------------------------------
/tests/policy_engine/resources/facts/edge.facts:
--------------------------------------------------------------------------------
1 | 1 2
2 | 2 3
3 |
--------------------------------------------------------------------------------
/tests/policy_engine/resources/facts/macaron.db.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/policy_engine/resources/facts/macaron.db.gz
--------------------------------------------------------------------------------
/tests/policy_engine/resources/facts/test.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | .decl edge(x:number, y:number)
5 | .input edge
6 |
7 | .decl path(x:number, y:number)
8 | .output path
9 |
10 | path(x, y) :- edge(x, y).
11 | path(x, y) :- path(x, z), edge(z, y).
12 |
--------------------------------------------------------------------------------
/tests/policy_engine/resources/policies/urllib3/urllib3.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 |
5 | #include "prelude.dl"
6 |
7 | /**
8 | * This is an example policy for urllib3/urllib3 project..
9 | * See: https://github.com/urllib3/urllib3
10 | */
11 |
12 | Policy("urllib3", id, "") :-
13 | check_passed(id, "mcn_build_service_1"),
14 | verify_provenance(id).
15 |
16 |
17 | // Projects that we expect to generate a provenance.
18 | .decl verify_provenance(id: number)
19 | verify_provenance(id) :-
20 | check_passed(id, "mcn_provenance_level_three_1"),
21 | check_passed(id, "mcn_provenance_expectation_1").
22 |
23 | // Apply the policy.
24 | apply_policy_to("urllib3", id) :- is_repo(id, "github.com/urllib3/urllib3", _).
25 |
--------------------------------------------------------------------------------
/tests/policy_engine/resources/policies/valid/simple_example.dl:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 |
5 | #include "prelude.dl"
6 |
7 | Policy("auth-provenance", repositoryid, "") :- check_passed(repositoryid, "mcn_provenance_level_three_1").
8 | apply_policy_to("auth-provenance", repo_id) :- is_repo(repo_id, _, _).
9 |
--------------------------------------------------------------------------------
/tests/provenance/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/repo_finder/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/schema_validation/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/__snapshots__/test_docker.ambr:
--------------------------------------------------------------------------------
1 | # serializer version: 1
2 | # name: test_get_build_dirs[mock_repo0]
3 | list([
4 | PosixPath('.'),
5 | ])
6 | # ---
7 | # name: test_get_build_dirs[mock_repo1]
8 | list([
9 | PosixPath('project'),
10 | ])
11 | # ---
12 | # name: test_get_build_dirs[mock_repo2]
13 | list([
14 | PosixPath('.'),
15 | ])
16 | # ---
17 | # name: test_get_build_dirs[mock_repo3]
18 | list([
19 | PosixPath('.'),
20 | ])
21 | # ---
22 | # name: test_get_build_dirs[mock_repo4]
23 | list([
24 | ])
25 | # ---
26 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/__snapshots__/test_go.ambr:
--------------------------------------------------------------------------------
1 | # serializer version: 1
2 | # name: test_get_build_dirs[root_go_mod-go.mod]
3 | list([
4 | PosixPath('.'),
5 | ])
6 | # ---
7 | # name: test_get_build_dirs[no_go_mod-dummyfile.txt]
8 | list([
9 | ])
10 | # ---
11 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/__snapshots__/test_gradle.ambr:
--------------------------------------------------------------------------------
1 | # serializer version: 1
2 | # name: test_get_build_dirs[mock_repo0]
3 | list([
4 | PosixPath('.'),
5 | ])
6 | # ---
7 | # name: test_get_build_dirs[mock_repo1]
8 | list([
9 | PosixPath('.'),
10 | ])
11 | # ---
12 | # name: test_get_build_dirs[mock_repo2]
13 | list([
14 | ])
15 | # ---
16 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/__snapshots__/test_maven.ambr:
--------------------------------------------------------------------------------
1 | # serializer version: 1
2 | # name: test_get_build_dirs[mock_repo0]
3 | list([
4 | PosixPath('.'),
5 | ])
6 | # ---
7 | # name: test_get_build_dirs[mock_repo1]
8 | list([
9 | PosixPath('sub_module_1'),
10 | PosixPath('sub_module_2'),
11 | ])
12 | # ---
13 | # name: test_get_build_dirs[mock_repo2]
14 | list([
15 | ])
16 | # ---
17 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/__snapshots__/test_npm.ambr:
--------------------------------------------------------------------------------
1 | # serializer version: 1
2 | # name: test_get_build_dirs[mock_repo0]
3 | list([
4 | PosixPath('.'),
5 | ])
6 | # ---
7 | # name: test_get_build_dirs[mock_repo1]
8 | list([
9 | PosixPath('.'),
10 | ])
11 | # ---
12 | # name: test_get_build_dirs[mock_repo2]
13 | list([
14 | PosixPath('project'),
15 | ])
16 | # ---
17 | # name: test_get_build_dirs[mock_repo3]
18 | list([
19 | ])
20 | # ---
21 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/__snapshots__/test_poetry.ambr:
--------------------------------------------------------------------------------
1 | # serializer version: 1
2 | # name: test_get_build_dirs[mock_repo0]
3 | list([
4 | PosixPath('.'),
5 | ])
6 | # ---
7 | # name: test_get_build_dirs[mock_repo1]
8 | list([
9 | ])
10 | # ---
11 | # name: test_get_build_dirs[mock_repo2]
12 | list([
13 | PosixPath('.'),
14 | ])
15 | # ---
16 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/__snapshots__/test_yarn.ambr:
--------------------------------------------------------------------------------
1 | # serializer version: 1
2 | # name: test_get_build_dirs[mock_repo0]
3 | list([
4 | PosixPath('.'),
5 | ])
6 | # ---
7 | # name: test_get_build_dirs[mock_repo1]
8 | list([
9 | PosixPath('.'),
10 | ])
11 | # ---
12 | # name: test_get_build_dirs[mock_repo2]
13 | list([
14 | PosixPath('project'),
15 | ])
16 | # ---
17 | # name: test_get_build_dirs[mock_repo3]
18 | list([
19 | ])
20 | # ---
21 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/docker_repos/nested_dockerfile/project/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # syntax=docker/dockerfile:1
5 |
6 | FROM node:18-alpine@sha256:51490771aba658439d29b1b03b60fc31e67bf0da3e01cb5903716310df4be1c1
7 | CMD ["echo", "Hello!"]
8 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/docker_repos/no_docker/dummy_file.txt:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/docker_repos/root_dockerfile/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # syntax=docker/dockerfile:1
5 |
6 | FROM node:18-alpine@sha256:51490771aba658439d29b1b03b60fc31e67bf0da3e01cb5903716310df4be1c1
7 | CMD ["echo", "Hello!"]
8 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/docker_repos/root_dockerfile_wildcard/Dockerfile.final:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # syntax=docker/dockerfile:1
5 |
6 | FROM node:18-alpine@sha256:51490771aba658439d29b1b03b60fc31e67bf0da3e01cb5903716310df4be1c1
7 | CMD ["echo", "Hello!"]
8 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/docker_repos/root_wildcard_dockerfile/final.Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # syntax=docker/dockerfile:1
5 |
6 | FROM node:18-alpine@sha256:51490771aba658439d29b1b03b60fc31e67bf0da3e01cb5903716310df4be1c1
7 | CMD ["echo", "Hello!"]
8 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/go_repos/no_go_mod/dummy_file.txt:
--------------------------------------------------------------------------------
1 | Hello
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/gradle_repos/groovy_gradle/build.gradle:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/gradle_repos/groovy_gradle/project1/build.gradle:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/gradle_repos/groovy_gradle/project2/build.gradle:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/gradle_repos/groovy_gradle/settings.gradle:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | rootProject.name = 'groovy_gradle'
5 | include 'project1'
6 | include 'project2'
7 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/gradle_repos/kotlin_gradle/build.gradle.kts:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/gradle_repos/kotlin_gradle/project1/build.gradle.kts:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/gradle_repos/kotlin_gradle/project2/build.gradle.kts:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/gradle_repos/kotlin_gradle/settings.gradle.kts:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 |
4 | rootProject.name = "kotlin_gradle"
5 | include("project1")
6 | include("project2")
7 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/maven_repos/has_parent_pom/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | 4.0.0
8 |
9 | com.mock_repos.has_parent_pom
10 | parent
11 |
12 | 0.1
13 | pom
14 |
15 |
16 | sub_module_1
17 | sub_module_2
18 |
19 |
20 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/maven_repos/has_parent_pom/sub_module_1/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | 4.0.0
8 |
9 | com.mock_repos.has_parent_pom
10 | sub_module_1
11 |
12 | 0.1
13 |
14 |
15 | com.mock_repos.has_parent_pom
16 | parent
17 | 0.1
18 | ../
19 |
20 |
21 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/maven_repos/has_parent_pom/sub_module_2/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | 4.0.0
8 |
9 | com.mock_repos.has_parent_pom
10 | sub_module_2
11 |
12 | 0.1
13 |
14 |
15 | com.mock_repos.has_parent_pom
16 | parent
17 | 0.1
18 | ../
19 |
20 |
21 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/maven_repos/no_parent_pom/sub_module_1/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | 4.0.0
8 |
9 | com.mock_repos.no_parent_pom
10 | sub_module_1
11 |
12 | 0.1
13 |
14 |
15 | com.mock_repos.no_parent_pom
16 | parent
17 | 0.1
18 | ../
19 |
20 |
21 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/maven_repos/no_parent_pom/sub_module_2/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | 4.0.0
8 |
9 | com.mock_repos.no_parent_pom
10 | sub_module_2
11 |
12 | 0.1
13 |
14 |
15 | com.mock_repos.no_parent_pom
16 | parent
17 | 0.1
18 | ../
19 |
20 |
21 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/npm_repos/nested_package/project/package.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/build_tool/mock_repos/npm_repos/nested_package/project/package.json
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/npm_repos/no_package/dummyfile.txt:
--------------------------------------------------------------------------------
1 | Hello
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/npm_repos/root_package/package.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/build_tool/mock_repos/npm_repos/root_package/package.json
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/npm_repos/root_package_packagelock/package-lock.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/build_tool/mock_repos/npm_repos/root_package_packagelock/package-lock.json
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/npm_repos/root_package_packagelock/package.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/build_tool/mock_repos/npm_repos/root_package_packagelock/package.json
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/poetry_repos/has_poetry_lock/poetry.lock:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/build_tool/mock_repos/poetry_repos/has_poetry_lock/poetry.lock
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/poetry_repos/has_poetry_lock/pyproject.toml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/poetry_repos/no_poetry/pyproject.toml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/poetry_repos/no_poetry_lock/pyproject.toml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | [tool.poetry]
5 | name = "repo"
6 | version = "0.0.0"
7 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/yarn_repos/nested_package/project/package.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/build_tool/mock_repos/yarn_repos/nested_package/project/package.json
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/yarn_repos/no_package/dummyfile.txt:
--------------------------------------------------------------------------------
1 | Hello
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/yarn_repos/root_package/package.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/build_tool/mock_repos/yarn_repos/root_package/package.json
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/yarn_repos/root_package_packagelock/package-lock.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/build_tool/mock_repos/yarn_repos/root_package_packagelock/package-lock.json
--------------------------------------------------------------------------------
/tests/slsa_analyzer/build_tool/mock_repos/yarn_repos/root_package_packagelock/package.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/build_tool/mock_repos/yarn_repos/root_package_packagelock/package.json
--------------------------------------------------------------------------------
/tests/slsa_analyzer/checks/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/checks/resources/build_as_code/travis_ci_no_deploy/.travis.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # References: https://github.com/java-json-tools/json-patch/blob/55b27b96045baa4ef356b2b183304551f64a18e4/.travis.yml
5 |
6 | language: java
7 | jdk:
8 | - openjdk8
9 | - openjdk11
10 | install: {}
11 | script:
12 | # This command should not be treated as a deploy command.
13 | - ./gradlew check
14 |
15 | before_cache:
16 | - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock
17 | - rm -fr $HOME/.gradle/caches/*/plugin-resolution/
18 |
19 | cache:
20 | directories:
21 | - $HOME/.gradle/caches/
22 | - $HOME/.gradle/wrapper/
23 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/checks/resources/build_as_code/travis_ci_with_deploy/.travis.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | # References: https://github.com/java-json-tools/json-patch/blob/55b27b96045baa4ef356b2b183304551f64a18e4/.travis.yml
5 |
6 | language: java
7 | jdk:
8 | - openjdk8
9 | - openjdk11
10 | install: {}
11 | script:
12 | - ./gradlew publish check
13 |
14 | before_cache:
15 | - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock
16 | - rm -fr $HOME/.gradle/caches/*/plugin-resolution/
17 |
18 | cache:
19 | directories:
20 | - $HOME/.gradle/caches/
21 | - $HOME/.gradle/wrapper/
22 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/checks/resources/github/workflow_files/pypi_publish.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | name: Publish to PyPI
5 |
6 | on:
7 | # For manual tests.
8 | workflow_dispatch:
9 | push:
10 | tags:
11 | - '*' # triggers only if push new tag version, like `0.8.4`.
12 |
13 | permissions: read-all
14 |
15 | jobs:
16 | publish:
17 | runs-on: ubuntu-latest
18 | permissions:
19 | actions: read # For the detection of GitHub Actions environment.
20 | id-token: write # For signing.
21 | contents: write # For asset uploads.
22 | steps:
23 | - uses: pypa/gh-action-pypi-publish@37f50c210e3d2f9450da2cd423303d6a14a6e29f
24 | with:
25 | user: __token__
26 | password: ${{ secrets.PYPI_TOKEN }}
27 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/checks/resources/github/workflow_files/pypi_publish_blah.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | name: Don't publish to PyPI
5 |
6 | on:
7 | # For manual tests.
8 | workflow_dispatch:
9 | push:
10 | tags:
11 | - '*' # triggers only if push new tag version, like `0.8.4`.
12 |
13 | permissions: read-all
14 |
15 | jobs:
16 | publish:
17 | runs-on: ubuntu-latest
18 | permissions:
19 | actions: read # For the detection of GitHub Actions environment.
20 | id-token: write # For signing.
21 | contents: write # For asset uploads.
22 | steps:
23 | - uses: pypa/gh-action-pypi-dont-publish@37f50c210e3d2f9450da2cd423303d6a14a6e29f
24 | with:
25 | user: __token__
26 | password: ${{ secrets.PYPI_TOKEN }}
27 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/checks/resources/github/workflow_files/slsa_verifier.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | name: Verifier releaser
5 |
6 | on:
7 | # For manual tests.
8 | workflow_dispatch:
9 | push:
10 | tags:
11 | - '*' # triggers only if push new tag version, like `0.8.4`.
12 |
13 | permissions: read-all
14 |
15 | jobs:
16 | builder:
17 | permissions:
18 | actions: read # For the detection of GitHub Actions environment.
19 | id-token: write # For signing.
20 | contents: write # For asset uploads.
21 | uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
22 | with:
23 | go-version: 1.18
24 | config-file: .github/config-release.yml
25 | compile-builder: true
26 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/checks/resources/osv_files/tj-actions_changed-files_querybatch.json:
--------------------------------------------------------------------------------
1 | {
2 | "results": [
3 | {},
4 | {},
5 | {
6 | "vulns": [
7 | {
8 | "id": "GHSA-mcph-m25j-8j63",
9 | "modified": "2024-01-02T16:41:27Z"
10 | },
11 | {
12 | "id": "GHSA-mrrh-fwg8-r2c3",
13 | "modified": "2025-03-24T14:23:37Z"
14 | }
15 | ]
16 | },
17 | {}
18 | ]
19 | }
20 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/checks/resources/pypi_files/zlibxjson-8.2.source:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/checks/resources/pypi_files/zlibxjson-8.2.source
--------------------------------------------------------------------------------
/tests/slsa_analyzer/checks/test_provenance_available_check.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """This module tests the provenance available check."""
5 |
6 | from pathlib import Path
7 |
8 | from macaron.slsa_analyzer.checks.check_result import CheckResultType
9 | from macaron.slsa_analyzer.checks.provenance_available_check import ProvenanceAvailableCheck
10 | from tests.conftest import MockAnalyzeContext
11 |
12 |
13 | def test_provenance_available_check_(
14 | macaron_path: Path,
15 | ) -> None:
16 | """Test provenance available check."""
17 | check = ProvenanceAvailableCheck()
18 | ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="")
19 |
20 | assert check.run_check(ctx).result_type == CheckResultType.FAILED
21 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/mock_repos/has_build_gh_actions/.github/workflows/build.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | name: Some build workflow
5 |
6 | on: [push, pull_request]
7 |
8 | jobs:
9 | build:
10 | strategy:
11 | matrix:
12 | os: [ubuntu-latest, windows-latest, macOS-latest]
13 | fail-fast: false
14 |
15 | runs-on: ${{ matrix.os }}
16 |
17 | steps:
18 | - uses: actions/checkout@v2
19 | - uses: actions/setup-java@v2
20 | - name: Build with Maven
21 | run: mvn verify
22 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/mock_repos/has_build_gh_actions/.github/workflows/deploy.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | name: Some build workflow
5 |
6 | on: [push, pull_request]
7 |
8 | jobs:
9 | build:
10 | runs-on: ${{ matrix.os }}
11 |
12 | steps:
13 | - uses: actions/checkout@v2
14 | - uses: actions/setup-java@v2
15 | - name: Deploy with Maven
16 | run: mvn deploy
17 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/mock_repos/has_build_jenkins/Jenkinsfile:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */
2 | /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
3 | buildPlugin(platforms: ['linux', 'windows'])
4 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/mock_repos/no_build_gh_actions/.github/workflows/build.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | name: Some build workflow
5 |
6 | on: [push, pull_request]
7 |
8 | jobs:
9 | build:
10 | steps:
11 | - uses: actions/checkout@v2
12 | - name: Build with Maven
13 | run: build.sh
14 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/mock_repos/no_build_gh_actions/.github/workflows/deploy.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | name: Verify
5 |
6 | on: push
7 |
8 | jobs:
9 | build:
10 | name: Verify
11 | uses: org/repo/.github/workflows/build-workflow.yml@v1
12 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/resources/base_ci_service/files_with_kws/a.txt:
--------------------------------------------------------------------------------
1 | boo
2 | build_keyword1
3 | build_keyword2
4 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/resources/base_ci_service/files_with_kws/b.txt:
--------------------------------------------------------------------------------
1 | foo
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/resources/base_ci_service/files_with_no_kws/a.txt:
--------------------------------------------------------------------------------
1 | boo
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/resources/base_ci_service/files_with_no_kws/b.txt:
--------------------------------------------------------------------------------
1 | foo
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/ci_service/resources/github/valid1.yaml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | name: Verify
5 |
6 | on:
7 | push:
8 | pull_request:
9 |
10 | jobs:
11 | build:
12 | name: Verify
13 | uses: apache/maven-gh-actions-shared/.github/workflows/maven-verify.yml@v2
14 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/git_service/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/git_service/resources/self_hosted_gitlab_repo/test.txt:
--------------------------------------------------------------------------------
1 | This is a test file.
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/package_registry/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/package_registry/resources/maven_central_files/empty_log4j-core@3.0.0-beta2-select.json:
--------------------------------------------------------------------------------
1 | {}
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/package_registry/resources/maven_central_files/invalid_log4j-core@3.0.0-beta2-select.json:
--------------------------------------------------------------------------------
1 | {"responseHeader":{"status":0,"QTime":4,"params":{"q":"g:org.apache.logging.log4j AND a:log4j-core AND v:3.0.0-beta2","core":"gav","indent":"off","fl":"id,g,a,v,p,ec,timestamp,tags","start":"","sort":"score desc,timestamp desc,g asc,a asc,v desc","rows":"1","wt":"json","version":"2.2"}},"response":{"numFound":1,"start":0,"docs":[]}}
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/package_registry/resources/maven_central_files/jackson-annotations@2.16.1-select.json:
--------------------------------------------------------------------------------
1 | {"responseHeader":{"status":0,"QTime":2,"params":{"q":"g:com.fasterxml.jackson.core AND a:jackson-annotations AND v:2.16.1","core":"gav","indent":"off","fl":"id,g,a,v,p,ec,timestamp,tags","start":"","sort":"score desc,timestamp desc,g asc,a asc,v desc","rows":"1","wt":"json","version":"2.2"}},"response":{"numFound":1,"start":0,"docs":[{"id":"com.fasterxml.jackson.core:jackson-annotations:2.16.1","g":"com.fasterxml.jackson.core","a":"jackson-annotations","v":"2.16.1","p":"jar","timestamp":1703390559843,"ec":["-sources.jar",".module",".pom","-javadoc.jar",".jar"],"tags":["core","types","jackson","package","data","annotations","binding","used","value"]}]}}
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/package_registry/resources/maven_central_files/log4j-core@3.0.0-beta2-select.json:
--------------------------------------------------------------------------------
1 | {"responseHeader":{"status":0,"QTime":4,"params":{"q":"g:org.apache.logging.log4j AND a:log4j-core AND v:3.0.0-beta2","core":"gav","indent":"off","fl":"id,g,a,v,p,ec,timestamp,tags","start":"","sort":"score desc,timestamp desc,g asc,a asc,v desc","rows":"1","wt":"json","version":"2.2"}},"response":{"numFound":1,"start":0,"docs":[{"id":"org.apache.logging.log4j:log4j-core:3.0.0-beta2","g":"org.apache.logging.log4j","a":"log4j-core","v":"3.0.0-beta2","p":"jar","timestamp":1708195809000,"ec":["-sources.jar","-cyclonedx.xml",".pom",".jar"],"tags":["apache","implementation","log4j"]}]}}
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/package_registry/resources/npm_registry_files/empty_sigstore.mock@0.7.5.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/package_registry/resources/npm_registry_files/empty_sigstore.mock@0.7.5.json
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/expectations/cue/resources/invalid_expectations/invalid.cue:
--------------------------------------------------------------------------------
1 | INVALID
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/expectations/cue/resources/invalid_expectations/urllib3_INVALID.cue:
--------------------------------------------------------------------------------
1 | {
2 | predicate: {
3 | invocation: {
4 | configSource: {
5 | uri: =~"^git\\+https://github.com/urllib3/urllib3@refs/tags/[0-9]+.[0-9]+.[0-9a-z]+$"
6 | entryPoint: ".github/workflows/publish.yml"
7 | }
8 | }
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/slsa_verifier_FAIL.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:github.com/slsa-framework/slsa-verifier",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/fail/slsa-verifier@refs/tags/v[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/release.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/slsa_verifier_PASS.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:github.com/slsa-framework/slsa-verifier",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/slsa-framework/slsa-verifier@refs/tags/v[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/release.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/urllib3_FAIL.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/urllib3/urllib3@refs/tags/[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/invalid.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/expectations/cue/resources/valid_expectations/urllib3_PASS.cue:
--------------------------------------------------------------------------------
1 | {
2 | target: "pkg:github.com/urllib3/urllib3",
3 | predicate: {
4 | invocation: {
5 | configSource: {
6 | uri: =~"^git\\+https://github.com/urllib3/urllib3@refs/tags/v?[0-9]+.[0-9]+.[0-9a-z]+$"
7 | entryPoint: ".github/workflows/publish.yml"
8 | }
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/intoto/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/intoto/v01/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/intoto/v1/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/resources/micronaut.intoto.jsonl:
--------------------------------------------------------------------------------
1 | {"payload":"ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YwLjEiLAogICJzdWJqZWN0IjogWwogICAgewogICAgICAibmFtZSI6ICJtaWNyb25hdXQiLAogICAgICAiZGlnZXN0IjogeyAKICAgICAgICAic2hhMjU2IjoiYmY5NjY0ODE2OWJhODljMjg0YjNlOTQxMDgwNzRjN2Q1ZTU4MDZjN2I5NDk4MDMxYWNlZGVkNWNhMTM5ZWQ2OSIKICAgICAgfQogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly93aXRuZXNzLnRlc3RpZnlzZWMuY29tL2F0dGVzdGF0aW9uLWNvbGxlY3Rpb24vdjAuMSIsCiAgInByZWRpY2F0ZSI6IHsKICAgICJuYW1lIjogIm1pY3JvIiwKICAgICJhdHRlc3RhdGlvbnMiOiBbXQogIH0KfQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"keyid":"1","sig":"2"}]}
2 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/resources/valid_provenances/slsa-verifier-linux-amd64.intoto.jsonl.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/oracle/macaron/06fd636c4a5f993362b0f7789c56003dc4f803e8/tests/slsa_analyzer/provenance/resources/valid_provenances/slsa-verifier-linux-amd64.intoto.jsonl.gz
--------------------------------------------------------------------------------
/tests/slsa_analyzer/provenance/resources/valid_provenances/slsa-verifier-linux-amd64.intoto.jsonl.url:
--------------------------------------------------------------------------------
1 | [InternetShortcut]
2 | URL=https://github.com/slsa-framework/slsa-verifier/releases/download/v2.5.1/slsa-verifier-linux-amd64.intoto.jsonl
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/runner/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------
/tests/slsa_analyzer/test_slsa_requirements.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
4 | """
5 | This module test the slsa_analyzer.requirement module
6 | """
7 |
8 | from macaron.slsa_analyzer.slsa_req import SLSAReqStatus
9 |
10 |
11 | def test_slsa_requirements_status() -> None:
12 | """
13 | Test requirement status
14 | """
15 | req_status = SLSAReqStatus()
16 | assert (False, False, "") == req_status.get_tuple()
17 |
18 | feedback = "This repo passes this requirement"
19 | req_status.set_status(True, feedback)
20 | assert req_status.is_addressed
21 | assert req_status.is_pass
22 | assert req_status.feedback == feedback
23 | assert (True, True, feedback) == req_status.get_tuple()
24 |
--------------------------------------------------------------------------------
/tests/vsa/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3 |
--------------------------------------------------------------------------------