chore: use maven hashes as reference only; add pypi integration test

Signed-off-by: Ben Selwyn-Smith <[email protected]>

Author: benmss

src/macaron/slsa_analyzer/package_registry/maven_central_registry.py

@@ -282,15 +282,16 @@ def get_artifact_hash(self, purl: PackageURL, hash_algorithm: Any) -> str | None
         if not file_name:
             return None
 
-        # Maven supports but does not require a sha256 hash of uploaded artifacts. Check that first.
+        # Maven supports but does not require a sha256 hash of uploaded artifacts.
         artifact_url = self.registry_url + "/" + artifact_path + "/" + file_name
         sha256_url = artifact_url + ".sha256"
         logger.debug("Search for artifact hash using URL: %s", [sha256_url, artifact_url])
 
         response = send_get_http_raw(sha256_url, {})
-        if response and response.text:
-            logger.debug("Found hash of artifact: %s", response.text)
-            return response.text
+        sha256_hash = None
+        if response and (sha256_hash := response.text):
+            # As Maven hashes are user provided and not verified they serve as a reference only.
+            logger.debug("Found hash of artifact: %s", sha256_hash)
 
         try:
             response = requests.get(artifact_url, stream=True, timeout=40)
@@ -313,5 +314,9 @@ def get_artifact_hash(self, purl: PackageURL, hash_algorithm: Any) -> str | None
             return None
 
         artifact_hash: str = hash_algorithm.hexdigest()
+        if sha256_hash and artifact_hash != sha256_hash:
+            logger.debug("Artifact hash and discovered hash do not match: %s != %s", artifact_hash, sha256_hash)
+            return None
+
         logger.debug("Computed hash of artifact: %s", artifact_hash)
         return artifact_hash

tests/integration/cases/github_pypi_attestation/policy.dl

@@ -0,0 +1,10 @@
+/* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
+/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
+
+#include "prelude.dl"
+
+Policy("test_policy", component_id, "") :-
+    check_passed(component_id, "mcn_provenance_available_1").
+
+apply_policy_to("test_policy", component_id) :-
+    is_component(component_id, "pkg:pypi/[email protected]").

tests/integration/cases/github_pypi_attestation/test.yaml

@@ -0,0 +1,20 @@
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+description: |
+  Discovering attestation of a PyPI artifact on GitHub
+
+tags:
+- macaron-python-package
+
+steps:
+- name: Run macaron analyze
+  kind: analyze
+  options:
+    command_args:
+    - -purl
+    - pkg:pypi/[email protected]
+- name: Run macaron verify-policy to verify passed/failed checks
+  kind: verify
+  options:
+    policy: policy.dl