From acfb75baf26445205a52d7724dbe8037935be38d Mon Sep 17 00:00:00 2001 From: behnazh-w Date: Thu, 24 Oct 2024 09:21:15 +1000 Subject: [PATCH] feat: add a new check to validate npm provenance and extract facts for policy engine Signed-off-by: behnazh-w --- src/macaron/database/table_definitions.py | 191 +++++++++++++++++- .../policy_engine/prelude/intoto_policies.dl | 90 +++++++++ src/macaron/policy_engine/prelude/prelude.dl | 3 +- .../policies/generic/npm_attestation.dl | 53 +++++ .../checks/analyze_npm_attestation_check.py | 156 ++++++++++++++ .../checks/provenance_l3_check.py | 7 +- .../resources/facts/macaron.db.gz | Bin 11522 -> 13765 bytes tests/policy_engine/test_policy.py | 6 +- 8 files changed, 491 insertions(+), 15 deletions(-) create mode 100644 src/macaron/policy_engine/prelude/intoto_policies.dl create mode 100644 src/macaron/resources/policies/generic/npm_attestation.dl create mode 100644 src/macaron/slsa_analyzer/checks/analyze_npm_attestation_check.py diff --git a/src/macaron/database/table_definitions.py b/src/macaron/database/table_definitions.py index 61c90da2e..5f0e5593d 100644 --- a/src/macaron/database/table_definitions.py +++ b/src/macaron/database/table_definitions.py @@ -34,7 +34,7 @@ from macaron.artifact.maven import MavenSubjectPURLMatcher from macaron.database.database_manager import ORMBase -from macaron.database.db_custom_types import RFC3339DateTime +from macaron.database.db_custom_types import DBJsonDict, RFC3339DateTime from macaron.errors import InvalidPURLError from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, ProvenanceSubjectPURLMatcher from macaron.slsa_analyzer.slsa_req import ReqName @@ -161,7 +161,7 @@ class Component(PackageURLMixin, ORMBase): checkfacts: Mapped[list["CheckFacts"]] = relationship(back_populates="component", lazy="immediate") #: The one-to-many relationship with provenances. - provenance: Mapped[list["Provenance"]] = relationship(back_populates="component", lazy="immediate") + provenance: Mapped[list["ProvenanceFacts"]] = relationship(back_populates="component", lazy="immediate") #: The bidirectional many-to-many relationship for component dependencies. dependencies: Mapped[list["Component"]] = relationship( @@ -464,7 +464,7 @@ class CheckFacts(ORMBase): } -class Provenance(ORMBase): +class ProvenanceFacts(ORMBase): """ORM class for a provenance document.""" __tablename__ = "_provenance" @@ -479,7 +479,7 @@ class Provenance(ORMBase): component: Mapped["Component"] = relationship(back_populates="provenance") #: The SLSA version. - version: Mapped[str] = mapped_column(String, nullable=False) + version: Mapped[str] = mapped_column(String, nullable=True) #: The release tag commit sha. release_commit_sha: Mapped[str] = mapped_column(String, nullable=True) @@ -488,12 +488,189 @@ class Provenance(ORMBase): release_tag: Mapped[str] = mapped_column(String, nullable=True) #: The provenance payload content in JSON format. - provenance_json: Mapped[str] = mapped_column(String, nullable=False) + provenance_json: Mapped[dict] = mapped_column(DBJsonDict, nullable=False) + + #: The provenance statement. + statement: Mapped["Statement"] = relationship(back_populates="provenance") #: A one-to-many relationship with the release artifacts. artifact: Mapped[list["ReleaseArtifact"]] = relationship(back_populates="provenance") +class Statement(ORMBase): + """The ORM class for provenance statement.""" + + __tablename__ = "_statement" + + #: The primary key. + id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True) # noqa: A003 + + #: The foreign key to the software component. + provenance_id: Mapped[int] = mapped_column(Integer, ForeignKey(ProvenanceFacts.id), nullable=False) + + #: A one-to-one relationship with software components. + provenance: Mapped["ProvenanceFacts"] = relationship(back_populates="statement") + + #: Statement type. + _type: Mapped[str] = mapped_column(String, nullable=False) + + #: Predicate Type. + predicate_type: Mapped[str] = mapped_column(String, nullable=False) + + #: Provenance Subjects. + subject: Mapped[list["ProvenanceSubjectRaw"]] = relationship(back_populates="statement") + + #: Provenance predicate. + predicate: Mapped["Predicate"] = relationship(back_populates="statement") + + +class ProvenanceSubjectRaw(ORMBase): + """The ORM class for the provenance subject containing all the information.""" + + __tablename__ = "_subject" + + #: The primary key. + id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True) # noqa: A003 + + #: The foreign key to the software component. + statement_id: Mapped[int] = mapped_column(Integer, ForeignKey(Statement.id), nullable=False) + + #: A one-to-one relationship with provenance statement. + statement: Mapped["Statement"] = relationship(back_populates="subject") + + #: Subject name. + name: Mapped[str] = mapped_column(String, nullable=False) + + #: Subject digests. + digest: Mapped["SubjectDigest"] = relationship(back_populates="subject") + + +class SubjectDigest(ORMBase): + """The ORM class for the provenance subject digest.""" + + __tablename__ = "_subject_digest" + + #: The primary key. + id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True) # noqa: A003 + + #: The foreign key to the provenance subject. + subject_id: Mapped[int] = mapped_column(Integer, ForeignKey(ProvenanceSubjectRaw.id), nullable=False) + + #: A one-to-one relationship with provenance subject. + subject: Mapped["ProvenanceSubjectRaw"] = relationship(back_populates="digest") + + #: Digest. + sha512: Mapped[str] = mapped_column(String, nullable=False) + + +class Predicate(ORMBase): + """The ORM class for provenance predicate.""" + + __tablename__ = "_predicate" + + #: The primary key. + id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True) # noqa: A003 + + #: The foreign key to the software component. + statement_id: Mapped[int] = mapped_column(Integer, ForeignKey(Statement.id), nullable=False) + + #: A one-to-one relationship with provenance statement. + statement: Mapped["Statement"] = relationship(back_populates="predicate") + + #: Build definition. + build_definition: Mapped["BuildDefinition"] = relationship(back_populates="predicate") + + +class BuildDefinition(ORMBase): + """The ORM class for provenance predicate build definition.""" + + __tablename__ = "_build_definition" + + #: The primary key. + id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True) # noqa: A003 + + #: The foreign key to the software component. + predicate_id: Mapped[int] = mapped_column(Integer, ForeignKey(Predicate.id), nullable=False) + + #: A one-to-one relationship with provenance predicate. + predicate: Mapped["Predicate"] = relationship(back_populates="build_definition") + + #: Build type. + build_type: Mapped[str] = mapped_column(String, nullable=False) + + #: External parameters in build definitions. + external_parameters: Mapped["ExternalParameters"] = relationship(back_populates="build_definition") + + #: Internal parameters in build definitions. + internal_parameters: Mapped["InternalParameters"] = relationship(back_populates="build_definition") + + +class ExternalParameters(ORMBase): + """The ORM class for provenance predicate build definition external parameters.""" + + __tablename__ = "_external_parameters" + + #: The primary key. + id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True) # noqa: A003 + + #: The foreign key to the software component. + build_definition_id: Mapped[int] = mapped_column(Integer, ForeignKey(BuildDefinition.id), nullable=False) + + #: A one-to-one relationship with build definition. + build_definition: Mapped["BuildDefinition"] = relationship(back_populates="external_parameters") + + #: External parameters in build definitions. + workflow: Mapped["Workflow"] = relationship(back_populates="external_parameters") + + +class Workflow(ORMBase): + """The ORM class for provenance predicate build definition external parameters workflows.""" + + __tablename__ = "_workflow" + + #: The primary key. + id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True) # noqa: A003 + + #: The foreign key to the software component. + external_parameters_id: Mapped[int] = mapped_column(Integer, ForeignKey(ExternalParameters.id), nullable=False) + + #: A one-to-one relationship with external_parameters. + external_parameters: Mapped["ExternalParameters"] = relationship(back_populates="workflow") + + #: Workflow reference. + ref: Mapped[str] = mapped_column(String, nullable=False) + + #: Workflow repository. + repository: Mapped[str] = mapped_column(String, nullable=False) + + #: Workflow path. + path: Mapped[str] = mapped_column(String, nullable=False) + + +class InternalParameters(ORMBase): + """The ORM class for provenance predicate build definition internal parameters.""" + + __tablename__ = "_internal_parameters" + + #: The primary key. + id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True) # noqa: A003 + + #: The foreign key to the software component. + build_definition_id: Mapped[int] = mapped_column(Integer, ForeignKey(BuildDefinition.id), nullable=False) + + #: A one-to-one relationship with build definition. + build_definition: Mapped["BuildDefinition"] = relationship(back_populates="internal_parameters") + + #: The GitHub event that triggered the publish. + github_event_name: Mapped[str] = mapped_column(String, nullable=False) + + #: The GitHub repository ID that triggered the publish. + github_repository_id: Mapped[str] = mapped_column(String, nullable=False) + + #: The GitHub repository owner ID that triggered the publish. + github_repository_owner_id: Mapped[str] = mapped_column(String, nullable=False) + + class ReleaseArtifact(ORMBase): """The ORM class for release artifacts.""" @@ -509,10 +686,10 @@ class ReleaseArtifact(ORMBase): slsa_verified: Mapped[bool] = mapped_column(Boolean, nullable=True) #: The foreign key to the SLSA provenance. - provenance_id: Mapped[int] = mapped_column(Integer, ForeignKey(Provenance.id), nullable=True) + provenance_id: Mapped[int] = mapped_column(Integer, ForeignKey(ProvenanceFacts.id), nullable=True) #: A many-to-one relationship with the SLSA provenance. - provenance: Mapped["Provenance"] = relationship(back_populates="artifact") + provenance: Mapped["ProvenanceFacts"] = relationship(back_populates="artifact") #: The one-to-many relationship with the hash digests for this artifact. digests: Mapped[list["HashDigest"]] = relationship(back_populates="artifact") diff --git a/src/macaron/policy_engine/prelude/intoto_policies.dl b/src/macaron/policy_engine/prelude/intoto_policies.dl new file mode 100644 index 000000000..0b4864d3a --- /dev/null +++ b/src/macaron/policy_engine/prelude/intoto_policies.dl @@ -0,0 +1,90 @@ +/* Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved. */ +/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */ + +/* Souffle datalog rules to assist in authoring in-toto policies.*/ + +/** + * This relation provides the external parameters of a SLSA v1 provenance generated by npm. + The external parameters include details of the triggering hosted build service workflow. + + Here is the related section of an example predicate we process in this relation: + "externalParameters": { + "workflow": { + "ref": "refs/heads/main", + "repository": "https://github.com/npm/node-semver", + "path": ".github/workflows/release.yml" + } + }, + + Parameters: + component_id: number + The target software component id. + purl: symbol + The Package URL identifier for the provenance subject. + ref: symbol + The Git reference. + repository: symbol + The repository URL. + path: symbol + The GitHub Actions workflow path. + + */ +.decl slsa_v1_npm_external_parameters(component_id: number, purl: symbol, ref: symbol, repository: symbol, path: symbol) + +slsa_v1_npm_external_parameters(component_id, purl, ref, repository, path):- + provenance(prov_id, component_id, _, _, _, _), + statement(stmt_id, prov_id, "https://in-toto.io/Statement/v1", "https://slsa.dev/provenance/v1"), + subject(sub_id, stmt_id, purl), + predicate(pred_id, stmt_id), + build_definition(build_id, pred_id, _), + external_parameters(external_params_id, build_id), + workflow(_, external_params_id, ref, repository, path). + +/** + * This relation provides the external parameters of a SLSA v1 provenance generated by npm. + The external parameters include details of the triggering hosted build service workflow. + + Here is the related section of an example predicate we process in this relation: + "internalParameters": { + "github": { + "event_name": "push", + "repository_id": "1357199", + "repository_owner_id": "6078720" + } + }, + + + Parameters: + component_id: number + The target software component id. + purl: symbol + The Package URL identifier for the provenance subject. + github_event_name: symbol + TODO + github_repository_id: symbol + TODO + github_repository_owner_id: symbol + TODO + + */ +.decl slsa_v1_npm_internal_parameters( + component_id: number, + purl: symbol, + github_event_name: symbol, + github_repository_id: symbol, + github_repository_owner_id: symbol +) + +slsa_v1_npm_internal_parameters( + component_id, + purl, + github_event_name, + github_repository_id, + github_repository_owner_id +):- + provenance(prov_id, component_id, _, _, _, _), + statement(stmt_id, prov_id, "https://in-toto.io/Statement/v1", "https://slsa.dev/provenance/v1"), + subject(sub_id, stmt_id, purl), + predicate(pred_id, stmt_id), + build_definition(build_id, pred_id, _), + internal_parameters(_, build_id, github_event_name, github_repository_id, github_repository_owner_id). diff --git a/src/macaron/policy_engine/prelude/prelude.dl b/src/macaron/policy_engine/prelude/prelude.dl index aa5e0d464..7f71057d6 100644 --- a/src/macaron/policy_engine/prelude/prelude.dl +++ b/src/macaron/policy_engine/prelude/prelude.dl @@ -1,4 +1,4 @@ -/* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */ +/* Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved. */ /* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */ /** @@ -13,6 +13,7 @@ #include "helper_rules.dl" #include "policy.dl" #include "aggregate_rules.dl" +#include "intoto_policies.dl" /* The fact import statements generated by the policy engine */ #include "import_data.dl" diff --git a/src/macaron/resources/policies/generic/npm_attestation.dl b/src/macaron/resources/policies/generic/npm_attestation.dl new file mode 100644 index 000000000..fb54fba30 --- /dev/null +++ b/src/macaron/resources/policies/generic/npm_attestation.dl @@ -0,0 +1,53 @@ +/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */ +/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */ + +#include "prelude.dl" + +Policy("test_policy", component_id, "") :- + // Checks if the npm attestation has been successfully processed. + check_passed(component_id, "mcn_npm_attestation_validation_1"), + // This relation provides the external parameters of a SLSA v1 provenance generated by npm. + slsa_v1_npm_external_parameters(component_id, purl, ref, repository, path), + // This relation provides the internal parameters of a SLSA v1 provenance generated by npm. + slsa_v1_npm_internal_parameters(component_id, purl, event_name, repository_id, repository_owner_id), + // This match constraint makes sure the subjects we are interested in exist in the provenance. + match("pkg:npm/semver@.*", purl), + // Here we can add constraints that we are interested in. + approved_refs(ref), + approved_repository_owner_ids(repository_owner_id), + repository = "https://github.com/npm/node-semver", + path = ".github/workflows/release.yml". + +Policy("test_policy", component_id, "") :- + // Checks if the npm attestation has been successfully processed. + check_passed(component_id, "mcn_npm_attestation_validation_1"), + // Checks if the repository URL in the provenance matches the repository metadata on deps.dev. + check_passed(component_id, "mcn_provenance_derived_repo_1"), + // Checks if the commit hash in the provenance matches the release tag. + check_passed(component_id, "mcn_provenance_derived_commit_1"), + // This relation provides the external parameters of a SLSA v1 provenance generated by npm. + slsa_v1_npm_external_parameters(component_id, purl, ref, repository, path), + // This relation provides the internal parameters of a SLSA v1 provenance generated by npm. + slsa_v1_npm_internal_parameters(component_id, purl, event_name, repository_id, repository_owner_id), + // This match constraint makes sure the subjects we are interested in exist in the provenance. + match("pkg:npm/semver@.*", purl), + // Here we can add constraints that we are interested in. + approved_refs(ref), + approved_repository_owner_ids(repository_owner_id), + path = ".github/workflows/release.yml". + +// Create a relation containing the approved Git branches for publishing the artifact. +.decl approved_refs(name: symbol) + approved_refs("refs/heads/main"). + approved_refs("refs/heads/master"). + approved_refs("refs/heads/release"). + +// Create a relation containing the approved repository owner IDs for publishing the artifact. +.decl approved_repository_owner_ids(name: symbol) + approved_repository_owner_ids("6078720"). + approved_repository_owner_ids("71096353"). + +// Apply the policy to the desired software components. +apply_policy_to("test_policy", component_id) :- + is_component(component_id, purl), + match("pkg:npm/semver@.*", purl). diff --git a/src/macaron/slsa_analyzer/checks/analyze_npm_attestation_check.py b/src/macaron/slsa_analyzer/checks/analyze_npm_attestation_check.py new file mode 100644 index 000000000..114c320da --- /dev/null +++ b/src/macaron/slsa_analyzer/checks/analyze_npm_attestation_check.py @@ -0,0 +1,156 @@ +# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""This module contains the implementation of the VCS check.""" + + +import logging + +from sqlalchemy import ForeignKey +from sqlalchemy.orm import Mapped, mapped_column + +from macaron.database.table_definitions import ( + BuildDefinition, + CheckFacts, + ExternalParameters, + InternalParameters, + Predicate, + ProvenanceFacts, + ProvenanceSubjectRaw, + Statement, + SubjectDigest, + Workflow, +) +from macaron.json_tools import json_extract +from macaron.slsa_analyzer.analyze_context import AnalyzeContext +from macaron.slsa_analyzer.checks.base_check import BaseCheck, CheckResultType +from macaron.slsa_analyzer.checks.check_result import CheckResultData, Confidence +from macaron.slsa_analyzer.registry import registry +from macaron.slsa_analyzer.slsa_req import ReqName + +logger: logging.Logger = logging.getLogger(__name__) + + +class NPMAttestationFacts(CheckFacts): + """The ORM mapping for justifications in the npm attestation analysis check.""" + + __tablename__ = "_npm_attestation_check" + + #: The primary key. + id: Mapped[int] = mapped_column(ForeignKey("_check_facts.id"), primary_key=True) # noqa: A003 + + __mapper_args__ = { + "polymorphic_identity": "_npm_attestation_check", + } + + +class NPMAttestationCheck(BaseCheck): + """This Check extracts attestation fields to be used by the policy engine.""" + + def __init__(self) -> None: + """Initialize instance.""" + check_id = "mcn_npm_attestation_validation_1" + description = "Extract attestation fields to be used by the policy engine." + depends_on: list[tuple[str, CheckResultType]] = [] + eval_reqs = [ReqName.PROV_AVAILABLE] + super().__init__(check_id=check_id, description=description, depends_on=depends_on, eval_reqs=eval_reqs) + + def run_check(self, ctx: AnalyzeContext) -> CheckResultData: + """Implement the check in this method. + + Parameters + ---------- + ctx : AnalyzeContext + The object containing processed data for the target repo. + + Returns + ------- + CheckResultData + The result of the check. + """ + payload = ctx.dynamic_data["provenance"] + if not payload or ctx.dynamic_data["is_inferred_prov"]: + logger.debug("Unable to find a provenance for %s.", ctx.component.purl) + return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED) + + # Extract facts from the attestation to store in the database. + prov_facts = ProvenanceFacts() + stmt = payload.statement + if stmt["predicate"] is None: + logger.debug("Unable to validate provenance content for %s.", ctx.component.purl) + return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED) + + workflow_section = json_extract(stmt["predicate"], ["buildDefinition", "externalParameters", "workflow"], dict) + + if workflow_section is None: + logger.debug("Unable to validate provenance content for %s.", ctx.component.purl) + return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED) + + ref = json_extract(workflow_section, ["ref"], str) + repository = json_extract(workflow_section, ["repository"], str) + path = json_extract(workflow_section, ["path"], str) + + if any(param is None for param in (ref, repository, path)): + logger.debug("Unable to validate provenance content for %s.", ctx.component.purl) + return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED) + + workflow = Workflow(ref=ref, repository=repository, path=path) + + external_parameters = ExternalParameters(workflow=workflow) + + internal_params_gh = json_extract(stmt["predicate"], ["buildDefinition", "internalParameters", "github"], dict) + + if internal_params_gh is None: + logger.debug("Unable to validate provenance content for %s.", ctx.component.purl) + return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED) + + event = json_extract(internal_params_gh, ["event_name"], str) + repo_id = json_extract(internal_params_gh, ["repository_id"], str) + repo_owner_id = json_extract(internal_params_gh, ["repository_owner_id"], str) + + if any(param is None for param in (event, repo_id, repo_owner_id)): + logger.debug("Unable to validate provenance content for %s.", ctx.component.purl) + return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED) + + internal_parameters = InternalParameters( + github_event_name=event, github_repository_id=repo_id, github_repository_owner_id=repo_owner_id + ) + + build_type = json_extract(stmt["predicate"], ["buildDefinition", "buildType"], str) + if build_type != "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1": + logger.debug("Unable to validate provenance content for %s.", ctx.component.purl) + return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED) + + predicate = Predicate( + build_definition=BuildDefinition( + build_type=build_type, + external_parameters=external_parameters, + internal_parameters=internal_parameters, + ) + ) + + subjects = [] + for sub in stmt["subject"]: + if (name := sub["name"]) and (sha512 := json_extract(dict(sub), ["digest", "sha512"], str)): + subjects.append(ProvenanceSubjectRaw(name=name, digest=SubjectDigest(sha512=sha512))) + + if not subjects: + logger.debug("Unable to validate provenance content for %s.", ctx.component.purl) + return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED) + + prov_facts.statement = Statement( + _type=stmt["_type"], predicate_type=stmt["predicateType"], subject=subjects, predicate=predicate + ) + + prov_facts.provenance_json = payload.statement["predicate"] or {} + + # Add the provenance facts to the software component provenance to persist the data in the database. + prov_facts.component = ctx.component + + return CheckResultData( + result_tables=[NPMAttestationFacts(confidence=Confidence.HIGH)], + result_type=CheckResultType.PASSED, + ) + + +registry.register(NPMAttestationCheck()) diff --git a/src/macaron/slsa_analyzer/checks/provenance_l3_check.py b/src/macaron/slsa_analyzer/checks/provenance_l3_check.py index e34a4ce0b..7b659e04e 100644 --- a/src/macaron/slsa_analyzer/checks/provenance_l3_check.py +++ b/src/macaron/slsa_analyzer/checks/provenance_l3_check.py @@ -5,7 +5,6 @@ import glob import hashlib -import json import logging import os import subprocess # nosec B404 @@ -22,7 +21,7 @@ from macaron.config.defaults import defaults from macaron.config.global_config import global_config -from macaron.database.table_definitions import CheckFacts, HashDigest, Provenance, ReleaseArtifact +from macaron.database.table_definitions import CheckFacts, HashDigest, ProvenanceFacts, ReleaseArtifact from macaron.slsa_analyzer.analyze_context import AnalyzeContext from macaron.slsa_analyzer.asset import AssetLocator from macaron.slsa_analyzer.checks.base_check import BaseCheck @@ -350,12 +349,12 @@ class Feedback(NamedTuple): downloaded_provs.append(provenance_payload.statement) # Output provenance - prov = Provenance() + prov = ProvenanceFacts() # TODO: fix commit reference for provenance when release/artifact as an analysis entrypoint is # implemented ensure the provenance commit matches the actual release analyzed prov.version = "0.2" prov.release_commit_sha = "" - prov.provenance_json = json.dumps(provenance_payload.statement) + prov.provenance_json = provenance_payload.statement["predicate"] or {} prov.release_tag = ci_info["release"]["tag_name"] prov.component = ctx.component diff --git a/tests/policy_engine/resources/facts/macaron.db.gz b/tests/policy_engine/resources/facts/macaron.db.gz index 0da56da72881802b6253dc3515ec4b58f1eed40b..276e24574a184dce91b6f78ca71b66c990c69f5d 100644 GIT binary patch literal 13765 zcma)i1ymeMw=M|*0znc8!QDMLL4&&t?gV!qY_Je4xVyW%4jSCu-Q9KYc{%@o?>#yH zy6e5yYjv&a>b-YW?XKGLRTG80eH+n@V+sRnt#7FBU~9u@WB_xlvto;<=1gU*_>m$c zW||?^DtROhKTy#sn)Qj2Ge~%dEU8Llk$h*x3STB5Roa2xAs`(`N;Q;zo#~C|v9MO{ zKElInw(X)sk`u`NZon+9wm3y?1a$E+ORi<+36et|4I zj(vd`@}H(1jxa3zDlD?lnfQu0_KvV(?ut=}Fv2wE$-R%Y8~%RJG1Z-~&u|LE`lUI; z#HcNEFCmdBDT7(Sxb5u|S0i)tr+LWp@?HjW%fqHARpjl-FJB`6*V02ntKumE>Sx~s zIYnSystk}L5^s?73NH#(8>@SA^tmlw4|zsV~>DoJTk z=w&wEhx!tVH6X>^So%-2s7K@Fh91y!()OGP?RWyyyot&NCvjz$sMYQ^O@i{vnu7I& zF}-{%&hwnwg8fJahQGAmQrBXuH`#SOic}(xn{D-$kAK7qIORnJhplJg>jwlBvl$~! zb#l}X`Y)1vDAU`TtH_xl>Ef}i0er%gQk(dEQq};bZZ<(YyjAuG8EZ=B^W)AwrWv}X zFBHlVEOYSX%8c%*T9cRfn(=J=*mG3IO1Kg+#|z_+PCwr8H0sMpXabu}Q#T}-2n@Ab z8G4lt_AF}e>jG^V-^7n*K={3kOBcJkYNm?ak`GVxWfN446$FxVH&8!0$;2HG=F*vk z#1sb1J5chlwdG*Aov94v?HQLIb^KD~I`(YYvZ{3s{UX0h#l9riD9f2NAodgEkqR(Z z=LNW1|x7>hea^kW9k(*EuD1R!)KDT7p}U zk!UC6x|x6l{++>^!pPN!Fs`|S&KxXQpFH*9$L)MR4$=op};D8C%+^s_ICF$LC#NsNHMMa9VF9mruJU z3C;#eD_`;nIO9KhWR51MP2{{oZE!v(Jmo@##n3iKFT{vAQw}_iNu!DWnzB5s&1ko< zvk-P$c*JS>bWp8ghyqd8;ZQ#LWzTg~ei3PxT$zVVAmgzes(~e5vvwd;AV)Ah;|XUu zI-W-R!&Qd@=~^U*FG_b#qGHv#$gZ2~Grw8rY(g{zOIM1vmS+>G-p1R`^s0cR${kxo zNTrae4nnwa#?qSb>l+vOX>DuwK?zcqTtipwINUfX9@m7Q7Xzmf;RPuvU}GZl>R4On zB3Cbq_RUJ-J+7=dEyruAEq(9amPyy>>b_%PJp#fs9GtR1B$@Wfeap0NBz%q3gc&Tss!hbZ)|x5X1)(v26W6Mk0D-ayaX`icHvg85#7#cvw?V}e!DBUJ(AWAd1qf%{Y5IWM!k_xi)1 zeSEiNABI4M1uh~5{-pG}I6p5=xOgM5o-o(hOgI*pKxCDEPH>-NMg_8Ov&QD*BMM2Y zY!L~N4z_1b8l}`=q}c#*#C+69l{CsViNXKI!6=MW^|3?xX20e^v&0F&s_v=aGjLiK%plj-hU1Wrp@Wx z%`+YR1@zqh{tg!Hii*VMVyMQu&CZ3N1CrtB&8+tBiAfUvUp(h^*=?VX5O+`WZIlNa z{C;mxO6>(28y!rWkF@?LhhZBo)Of`P<4hc)3IKE91Nv;#{6Qv2?^L3YYVz>~e)bxz zlVawpKOf+9JOW*`i%1M$ogQmnwL$I6G(&qP|A{dQI%NvaO^UGi>aeKVKqk5ggItkJ zu4v{`&Nxj#uC)A?J%(~a(qJux%s{DyqF$L15zoKO!ahf$J!|_tfgpv7plnqRMiJW; zxdxh&&v&Z3!;*-Qxw}CQJ-TweF5Ie^2Nhz( zKfvvFw=4dB}(m>mG0J&bm!;o-}Qy z%pgyDkuvSmn&lQFvqT_J&b>OH_Bto|+e8k1GB2xiio+nTYO%+Ts(o6!K{&3nG39M) zGix`RrKP-XS-Dy;r^J)ymg3A)GTpNWb=>EUONJYxcqA8*ycsMlKa=3aYWbWLV=1Tp zyo|b!m^2am>gGjs3FE<%IS3!Frj7ZN--oetS1%RQ5xp326%=gzT&-|1CJWvYCPLIT zICfn2b!?a|X*foEoTyS#;vtwcTt-79yc6&pHF*VmhQ7WE2)swwWlEAy5-{`%bn^vw zdSo21KnI`ZIQbA>|FIg^kGkpFzK!zSi#>H#JpRCHCF305^X|e5brnDJM$o&3Q(Bd5 zsM!1D*`e0zt2N=HcLmp_JBKo>5u$EcY#c>o%`>N?|cKD4) zhhvAS+Liq98cX}wzDyFh`%V~&{vf&UA}nP_b=^9SP6GS)Xx0;On3%of zNwJSPK6Zd$_+8n?%KVvHUXLGr z;7gS*zjyfltF>w!63g%->&6LIx^sOb7fHd)(T7m9E$6T#bM|LYK4<;1w~v(}60^HCHj)^4{7 zC45I3E#Cw}u&!YhlNhT~GUlyi>=gyvBBtZ`3$YsKJiW$lig>T{;FA&$Z&>|?CM7%J zCsg*)RdA~p=lmHtM6zS4?bgyR+!-TOM!hFl2g6R`%_ax1+0TV>~Qn-qGVH`44lziV8;akh%D zBEJpW=4-*KY}|h5uzI2O%5?1OMieZBKt>OQ|mm=4Kk?S@yo zjCVhlR<}-Hzd_xRX-53)ZdP6dfqDA99OeqDkZoSwp(cel!rJXNx2^90B)jlnSpBrQ zHXqjHmrqS!!az`hUFluZVfiGc(kVSSk8*e4^mTAg0@0IGQdlo!a{?IK+HN4eDMh%V z7e#T|9*4nL<~kcEf@^cgENpeaY$-c2NaZ_2U*}86ANHEzW`!@j+%qbUuTDRpQiB1# zMi#8XuBM%g=qa1O^Zpf9h66#6mb<}M%~bLRi6dr;BkQP~Z22bc-qIFu_cgqZzElk% zIB{T`sN6BnSQ8y}&L_!YT!*!&lqfewxnrY=ERGxGZ=@DS$f23s7}%%rh7J||LWFT> zmkR+bH%(mDBsmanG=W_T;iEYYZJMvkDrNBSE0TIqnU?1bJ&YJ zvc%Dp1|T3%#hsOmC?ZcO=NzGwJhCp58imhtkm+E{5fWFWBX-koaH`X$wpyh>)3RKB zU`Rft&R>gJo{<+*XY9-Zs`e4L)E^2e)}%AxU_)0#N$4^gUJ#Do zscM^0Eo;MwkvQf`8R>~qy=8PtBUF({yyZri$Qn?^hc6oE-493`DE%zNdu;oG81{I9m}BOl1-@PS_VqH_${vhhm7`?p$&H(YjtbpTb}$b|v;~=K~FL zR2#;JX40InC_a8-4QBZhFH{r|e=UeVW~6*Y)rO8;D1H7Q@P>rv;8Wy}s$4Q*QKwK) zb@n&J88ox3gve~%hPoxBFV-O-9;t|fc9eTU$}fx6;g$JCi^P0F-s$ytl?l$hwfy%3 z#*RVwSP=ydRXi4apT@}1tyt2fjWG5Gwu=(vcfrG%wGsReKVQy1VFHQi7`CJFNHE4; zT7MQgO-UN`kR1S6!V3d%TXRaJ_7o_Sh)Hy8XtF2fKBH^pE={8t0jJ|zyL?I|?g%%z zI8sLK7wFMZYLylSb9~^~T1qScq(W4xeE`I>p6+z~r7Z&yc_$Eq4CLA;U`j>s1AcBHTt|Vy_Tt(6eGn2!G-1+TI`jin4Njt|I z`ccXi4xHhh0yX{!4x}E27mM`izSRE7%>JAux-c1*sqQ2hZYrq}5$?EnTpXIXky$X? zTw#GExoI~DV{3_A{V|wbrPsv9DAF7eQ}6}PFH}d&sYLT@Jnk&e7x>WuL3*qL$Ro4g zPJ2NaPij$vQ$(~K)x7uBmd}av8r8ZgU^x%#^~!4HV``;z!+<1{L@8s|s4@CN06FD? z34Dz?N0M|+7?3YXZc`*06ReHF84b>#S(72)3dhrxWOCUQ?K43WYqAGK2@sCLW*B>% z^i^B2bl5KpfAb^2;VF40tTN1$c zd!CQ$F;NS@ZdG0~TT*!L^gVKzUNYz6Ie6S}c*>q9XHMLg>QsMJLmr$QFll(3QEgr^ zstlLyWeDab*$OFf@t3gQQ`H&^;mOo<6_nOYpt*F6xyhwo7WKW8UI6#Q{4^DKVdw z)Zh}WHdrZ_>d$`0y`tQ@3>{EUOuE}_@7c_w@3BO-XnVuZ9-$m%SxYNz$!49S zy%CZ^kz9W`*cd?j1h2OtedK}pWwrIQ<7frn9e}#Bw&mEf)?DMe4NK4ghf^0>ug+fA zH5n}rzzHkxYr{yASwwmOMUxg<`sk$!?mEDXxe~bX0}}KNSx@A{@bkCSK9YtH__1We z-%c&5^)=^vRly28ftPY+JD+(xc@)*OS`LIn`SjKbof-C983KcSR1JmMN zpms;(F;={pBHyL_z}SKN<>D|Sr}qdS%u`Y5DbQENLwDW>vfg+-qppB}yyg=p>GlC+ zt-w(Gn|f^dyo{2G-8sTG@OyP`@72ekNNz5idSL|8JC{^Is?h*XBfs z4-CQAjOE%uH10(6I~%>(V}KF4zKzjm9Fh#m@U$Lo@uj~}2sW%@Y${)IqXaSj2xFMUY`p=!`il3nFgP<|H2;ZhW-b8IEU7_aJ1XwFTBbip}0}_)N|)6J*3GXehp$M z7a4^lwA9NC)t0JPJJT$r+;n131Lu&Jjt>Z3APV`29f?_WAy4nz`)MQ?HR!*Q7aTJT zFi5;7mT(xN2qgZB`tHq_H(zr3n@o$FN=(V!ko&G5eJY#Q+@G6tRh&GX+z0b>%3(Lo z{j^sN;TUWmEIT)A(#8qK(ZEzo5`vwzn;7Hh>EULOAE7<2N2aptg>}&HB-V`1JK5y{B4~sD zZ9>0qp`}4HWWA%LysLma$EyZcq4(3P2YBzsELV%rQL|AUxpI&b{!py2kc&s%WKuH5@kUvP zu&q^r&L2y@1=~H|@t4Jy>M$I&6}mNj*(ty{8-=w8fyX$rq`MqrV^BQ?9Ye@1SwY_L z)>m0hfO5Ot>C#9pmJ4ftdC1V>;H~q68P9BOSp6nrcS>F1>3ugPgT=j>o)G1%VF#sR zkr*6C)L7=dfQOvc!lD#Wo}n8#)Jm<|go4@IsJVzi@KTMq1B0=pI1O;UTC+HKb9A83 z`N?yeYJjq^Ee6}W+io&Nd92IpxC@Cf%`FKHD_uXMi4ZQMZ9+#i#lzO>!c`+&dR)fh zeWOn`^SaAd)joS!?}idD9irK5s?_4Qb3+U7GxX1K&ljgWj6h_iuQt^Ba&q>vckueD zwma{R4ycfYfy8|z9?m1McLQhUbXbhJfzRt0W$R1x>uaW@M5eOONX{0M7%3GCJ#WsS zf9HPdcU@l4v*V$nJf`^TyuHzvkp)kOzjJ#JEwJaIvPGpUqYgtnEqo`4Pp>$Ow7j9@ zEhZ8uPq%Zvu>LYk6~HMqqgppko1lrJUBr3V1Ikjdh<&G$Gr!w@1U$TzJS|tA0#x~g zYJ$U$uxB(IRoSI}J~c>r|LmAGuBUW zdsM5!wM27f%%+!6ltu3yT9u1Af^R;7WsAxiknTO&RA<7ZS_6i5qQft{g~3MC*J1vL_pZvcl=|oXgbB4VS6yU4Sncx(^v2@Bf4`=Iu#6Nqg3y1qog$q<><6PXgOv z;FuzRpZcRmzB3EPIp*gTFH0qtrZ4qtdP|}@9&7fHI~p}xU}c!jHjhpDR!f`ScPR9a zh$>v*^FOWC@IO`r?A0ILalM?cK_4IgIkpr*8!vwUvy;uzQ($v`2KzAT?bEU6w(*kO z8b`JD+<}REc};}1(UEJ+7!=AV`tnD#b|)4oz?^Y7e$XD`9&Y*&?jGrByEi+14_(Xu z2i&^`6HK+Iml&jj;7}nOXbormn=xq{3_G3wM}n%*mf6ejd9R+Fu!Uzy5Pt#WWFO+Cxn9u z0BbVsy)%YwIILqC+|n#Esa@KJ*$W8(FwA{Kbgc4^3N#0;L!f_8ZAS0e*J$Sn9Gwjc@+D1(0JfmZC+@p(e$GDHn-wCZMl@5B9 zE0d-el;p-113g}#?KGEvdl8sl%toiv`0h||j+^G`$&?Up;O<%m$ZF)A4dwb))u&XYGr2+~Mvu-!XRU;p{Q;2WIK4_lrPxrFi8?^?o0(Eg8 z1g6b431`hVd)s5U_|Y+_p2D*u8>@gZ6p~yK!{DXNDK8XipS&4gOBx9Es<`rj}(J%}B+~+bCILye^j`W#08#j@J2~s~i zk3so{($x`<{RVVq>EyQ$49rha2Itchst53iVz%pq^(aZN%f!dl~ zVy6`nnx1pDp;at0!}A7q560H_o&Lk$BJwGR%g^pV>35=_%s!e6+T?2+XN9@WRf#+Ssf{^;v#=10upqd0ZrbMyZ-DXI= zt<{;)TB{?|mE57qZNFK#yrPh$1xSN)d3!5nTtvEiTry_0 z)Wud>N<)LQSG=d`qv?WlewCcD?aIPJo7NBFNeFvFs%6#HGS^ZG;1pV|ebs zY0|^|Ujan&UYt2yOONr911c>&r4gl;3T0e@^&+LtrQG1aH=Wel>RgjaQ;8%2pBXOq zqGoYcBWu0r`&th*5fW3-G;#k$N8g(17cXG+USsjo$7*SZa60L0>AgF(Pc@I(_0dCl z5$QY3eNQ5AOhXgBE0h6?j#c`Hxmc3HQIFXS5Dd)beZ6qcTtr`+GIP2Frh>pgUbD$) zZ$GEWo+^}B(gJ}<*!Vb%P85`w>E=R3YJNbb;h00B53iNLsm`=22ghUvG!>x;Vjgz- z0k#{7!{H?w-$aCmL=M)y$?`UF#*jUO-+^adt)yT0Bkhl2borjo=q2wid5<{ z#HZikkFO51R^t!U>qzULNbeTX_zw$L{G~4GUAxUo##W7%oH?@joGx< zjoDrhuk%%qjxnp*!J!{NVGNqVvmf>RcDs3s5Bh4w8pj*abn(PZg{5jgI_5OW+QJvf z-sBaIu@-8Dy<3#Zi6UgYRIGMip}h2*#CkJA+bl#gGH9Gve@|G)<={G{o7&ux_QDs$KrLlkLX_pk_6KRSwL3F2!^CFour4{U zU_?Y0KtgipS8R?C8#F63pIqExc)jLfPu3LyTDp2;$O-$_I}9^Btjw>X%I5r)`*G7_ ze_FMeHwpDY4A2y5=+3ZecdqtWeN%*_Fm;l$q0!uB00DBN5MmQ|x*-Tr>5j$(vf6xF z*O3^)5UPNk`wd823;uvoLi=HUr#*MMGU(1Exp==OUd9OPwgpc4f3U1T=$5@IHV z=)<9Vp(j8h_cj{q-j}9Y*nHM*>RepPfy^7~yZxl*KTTou<|f^n6h@zr9Fr2k;$;Dt z=aL(MHn@(TsTN(E!=-U?hdHhGZoW7R;u+@n_e(H%+>yfj#tj|g;PYbdyu}L&i!cEH z%B{LfQpO>h3q>;qhkT$R5tbsFibNDj%0Jc*%eUgi#U=`(*_!MytuPzX(n`wd>CePE zA)7MLDi;@T{UF;}$!QSx`7}(u2fhu!SJstNoo*oxDULw%AglLnD7W}r@DRMKtQ@Aj zmMfb%-ud>hgJ}BxdwCZf!x>AbW%ix}T)dOPdjLTMIVB3MqReP|k=>76mdJnVgaqbljyRBr|8jTRf%V0#bk z9aDU-u*vG{O9W!ZAhZ-wYmaq$i=M0+ay0n9a6|vGicSg66hdc+Y;?tdm=D$5F|e|P zqw23rO74fRf^>1F_;T$-Ez^1aJiKtGxk>Iw60QKjXOg8zD#YxIZ^l|$L4RqL_v1`9MO9DOqyMMR8k1B%Yqw6aNOw|qo+ysud#O(>G}cXDqV?bh|pA6q0YtuMl;DO#0eR?GN_9BD<4+6ed7)bKROk#Q{t) za<@E6u-dJT$J;LVBLi~VNzGXxk`MbTRdPJ#GW$K70f+>e%b#Z(Xk@x6u$xb)K{a=x zzK>dqmpo@i0VYD-9dF2KOaOco785|J&k*;eAk?=A;aQ?smBRe7I$tUv&!_g(sBwMqSfZbcjd-C`E`}k6VF|DinbfKuaGuN zKQx(wEf`Rv?u*U(9(ZxEOm3;WL5UOLAjt;}S&SjMY{&0|@OMqhTHjyptjC3~_Q^g; zM$~4NK8K}B9m!QoX@a6vIu4aYs4FT&>aLyqgpSD?d_Ch{duO9x_4F1hbD_?u=1^9} z`TXnvJX^0urDB;#3-U0?C5S{Bw2>EMVo(AYMiR+IH)AEMrBYdoJVdEvky0`{m0`2v4WcAD@=Io!?T)(g27p0r@_0IDQ-$>e_&6XR@X~s`onjKrJ)mS#S ztzDJxIut@0%Y&T4!Q8`91%d9)l0RH7kW&NGQGLmFbsO;U#6916QMu(pO!@JLgc$ln zjYdEF0;Nt-^OVw!6z>l@Z|P6F`3QE8y&C-cPDeD{I6bqd4<1My48hML=|wrq`tRKC zI(Bz=HyFjl?9i4nRCev;!CgbO!q{%6485U9pyMz%7v}65mu-x8e+#fKJ=VK>+?h!8 z)~P%+JG7W6*xR2S8?f1*?eHeB_*%rKwt-RR70f6E{Ue3hZ$}%?01(ONHu(|MZWp(| zQmM1mrslXjQRAfk+nSE#H!j~mK&K^QwT7r2eOiaprFh>^ja&|(sBI5_OQMg`X&{Ik zqnnRp<2p889E_eGd0J%qSiLX3ma!J_aHQ2zk@rHWBNTRkJ~B*bw#eN_Xwmj|Iz7t$ zQ1bR9XEfA9Nxu5*7sD5iCo%7YVKhm0N_k4WPj4}Qn2V{L)9Oeg_vG*0*o(}PnBYaAcTskrpc^@j@d>N%b#BuC;y4N{EAV`dwbfw(sRaI!y{1+IqyKmS7HjhZkLU5NjCEE zDZ}B~^^yn<;OspNlHFNl*DXmq(!DZT~uQu%P$HiaN60%tV;HusMio1UCTLETu9{N8pv!;U?ZD= znhLz9jzvt5#eAL1e@zS+N-7tXNN2||O;ht_tukLSEN$mkD0A6w`rlE_0Z+KxNvjbV z`9{OU>YqN?&tTMb(cyM_uv&|49HXWX9d_x3_Q67&pxtXnsi3nZ(=nIZF$mhy%%pOP zRuQAbcULiHOXd$8}ZKkQ(RXVY&Y+Mf!})qV5h>N(wd&H>PG|0 zX&3Lv)X-G96rR*%8|+OVBvm66tPu*GLJdxt&Ip-(r7~UCd&qX~w@?9GXX$9n!qQRaPDwPc8o=seyxU3^Q@kicAis6qYutpkTgF94lC}lr0$z&~2dD zKDt~tC{=(_RKn24g_T8WY0X?2RmTdj3}%bMWZ?ynnXn|P>XI*j*fR=*hw zP7pQcA*p##MY9w1QdXK>3@GE#)FILk4M`CMo&hSx6#1W6hqQeO*cdK81&n(D8fyIV zjmvvJCZls#`(Gj`)%x$^^XOkb89hHexE0)Zc{f5Ye8KHk8y@VerVnBjm5!>>PIP3Z zs`E{yspbPmY>p;Idd7P#Qn{z0?B@vUaugvQ`^YK0=-)1!6tX zjF7vZTP>e~-QDS(=-h4YZ132inaf%!hIx9eli@@ek1#!C2z;-|oganNj+C0W-ENvR z$h!JwLyJ}>X}1FB>ow-ZVSPp$RIOKlD08*=N>j2KZsFEVxHTp9L~pKr%mdD}@~IWN zXPkqs&6o(V14w>?HG{oVK0`)YkWg%umTfTKV}ets>lyuqn3bRKA*)%N;cgBeWn+%3Fns8=uc`4 zt3K;x8;o6HWKR;ZZlgJ2PeDj=U=pyb0N*$~4&?L7dCWO^wu7$@7f$opF6$x5ea&MH zFE3Uurb=|JtsZpg(bTUSE_-6t0y=}7sSel8&)A}CSmj+P-9o4(WmR*yH_#t`*z~K%d(K(O#avLp|Lp z4fB&e!3%DA#I*~9E zEmI9x88zyfsFpOa-`3~oEYtk%e7&!Hoo_e2)NLI!+0@hx3-*h+&B2;{5DcnHq*H#ip(em=s&LtC zVG@dP)0mQsaLpJf_?T$$l_dZo5jbe*;O?1Zzpv%>tD|GlQC=(NLyk51n`-e+fx_#;q+6b@A6p8kJl+Fi z09_-hARehZdB*-$*0!EP!~(10j|;|xBkjYwiTpUOQ=3JagW6kf!Mu73^OkvAw<+fS z6c1JjrAhR}xPE&m{*3vNr^JoD8iFOnp^(5XPT>?iH{n*yWL!B2oG2in-FC;cA_{GJE>kQ&_KLrlyoR?TITvlZd`p&$B=lt zuJPv@tmn#_<9ApJY-W;FOW@?nR7|f6n8ys+eUqG~Z0=_)=qma8fUqm$Y<-A@_DAVm z_>R?bVo7-wE%yPJu17Q)yC_W=N(~qfEdaLI9K|7ylkW@lDlX5N7Blqi#*gfM7eHxS zw@-COOE<53!waiWK`c;g3{$%0i(S(F_Lc#ox%cA<^Z{&~5&%DfT_~hHogL$ae_gv+ zFZ@U5F$&&b?yiEDx+coA?69k!PP$&>QbxK5d-pb77`cfsYMRF)$J9`|japj#S+eFg z){)8Kro1}(v052bc6PN2gi_;KSlgSRrO&N>bBpq9)Fz3hFMvd-F?HpB56Y%z;o+9wHnRa9DCJ#@ktH6nec8pqoE!fAM?HdZ z#^w~H&nGnmcL{0v6{7syR{_24Xrp`s<_)}`4`a?BM`}Kl3b^Yyd>_(lf;j;DXHXw#yKRMh`^&4pWY8U}oI~;c$qI$P`!8{87%ywtF0ji2jox<9^_Pxk-$w+9 zcg^JQ!gB}~f_6&u`xTU?4(8t#p3djJnL)$#|EBz}_jwdQezX1i;kTR&M2Ng_C{Y>( z%ayl(T8+ko0FPfr$P*Nj3iUp(KzKTn26^JXFz>yreSd6cMe+KN?*B*5U%gaBJdRaJ z+t{V8ru@eoQsVgUphsGS|2-A?BDnul5%ehS?KxCU^!#tFdc*!!%J0cHtV7{Q>!_g- xPrucAHgq&~F8`N&J^hLw&^4HU>YVe}zrGII3pD)#D)5BRkUysivknXMe*hs*VWS@cjTQ*6?2S#0ogIM8W+n*7Ifl_ILtfp(`cK+6 z9s>~m(jOij93Fl`m4ww|5%;#+&c!Q9_H&TL$~8A9K4R=h;*-ly5$w{H6K*Vnr^_vc zapFPwU*L%QvZN@8L!trL?_Ofl-LHlrybkPUQu-zzfG{i@-|%IUKm{Zfkv!k*K7j`U z++Nf9Z}?{4b#9^YiJ~_<*fAje%q*M7eW&ov;G0#Zch)bu$dOI>^z56ullrHk(j~JJ z&#SH{Pt)8dzPpZ*XO;)l>%B3apbc|oWRo6&&b)EB4KNSL3_nMl7iuP6$3UixK=f+| zhR5KR*_MQek<5vYD`n=J$sHT<*nod3M6A$v)@%Qy>0i|eS2nBCTcX#epKFnE3oAbc z0u8oB{|Cpfc&gYY)G<0I%7haHs;pKTK&YODu zg~^lL{O{a+*SE2+Ex!y76qn9i_bm(LHmWi2mX@5AXDX*9Fk8zk)Z}1_)kegxz6a}G z`_aDH3dT}+KX@^gN0B`c^2Lm2i{MAZDmAS;TbNC^U3x6bV(+pDa*6p0T3hfmc0Ab+ zppoR^X%DuOxC>yMnB4JpXGY+p<%CD}ad>1izoh&y^1F?PeOAB)>i2+6&bd^&hWD`v zdjl%<3pQS|f&v~e1!U{%vLox4lKKM#`;mj4@BC8eyI!wf>&0sQAbi@4J7f=4c3{TW*8WavaqoA{s?k?@SG(?= z{9ru!ntiRcZ|!o003tMe(bpX-my2i7$s(;o*g zWoN}=40-%W$*5^uYGqXcnDs(N%hwj2ibv*WmtCC4y@7M~XW4o{{y6~Q?;!-rF7}(% zwN&+G==ia>aMz2T2T9&#F|RZHc_;gM0-7|;>#zpj`1W6f6h^khy%YGySQ%^gk+J7G z8a=EP*{*$JS_+%6w%=C3ifEdqNYo+bPsf17%8s>Uc3;XYc`h)GNJ&qD2y+T9dxk4z zP7-Pi_J&lEvTCx#b@ndtyn;>iDqNMtcV6Mu-{x&vV^V-NpGp6w_!qF{!7)H_z3{(j zn@hj;^)tcgH?n^j#1whIS=q-(>-)n$^H?ly{)|XMvnyFD``nY(4-+s@ta2pnpQCto zJ}kS9^OOwB_ct-LFA#fm;?WO~vXYX_r#ZQa%iXWOPgC-dXts>+m?tdt^YYU;t+;{1 z!~WbA;WnmE@}VT;wKKen7haA1ph?c9rgb~9>G9GYG`m39@f*O zDhNfI{(Vz`Gq)LuoIg#G#~C3B2zL=6_l;(eZZb_~5NNzvjTya#oAoR2ork)o9hJ#I z9qZdhjmnSQ%U9;smL;rHwe?S|i{vDL79fWgS>wr{>QijM{;e&o`ki_-hDNm+273%P zVYZP>B)ZfQYjz~&fx?kqusP(Na`3W-b#c2Bj`gBq|XN#Wd$+7*YP$RiK}yB228jl7zQ(o<78yj>qlj7bkVu=AW`Ejp>($R_l*U!gX+ly?>kjY;JzJ=rFY( zRHyw;Rsg(gVeRv9|1GsKzA6a0*qim&*+ToJyIXyWs&{imIn&e^_FMb1jWVI*X1!D4 zR@WyR>vAV~<9J+PHafQaNxb4^fMl^3rywa=vGd@eMw4t~ z)=tc{fJOBbOSJCjo#c@VFM91_UWJ{*?8t)CQ{z3@{z^A~`&UqZVAS5tY?2qlGNyo! zpcBTZoNCrn-UXvNMdK1R=>V3%CH3jkoS++wqSycA7a zn40*7)UDP*TKt1tMeNX*|%Bs+Lm_b1$zEk#s@no(vbQx91xq60lQxmVt#32z5 zBSHC?`8z(qwXgCgi5BeB$2h<*VEIf->*u7;pIux`A1vT~{@aI|s=7?8dmB;cG>-uB z-0@fOH*mZq9=dD8#V%8TF+B7M_W|hv{o%nb>j~pJEf1!T_IDILf-WQD=qFEAt)mRj z*$nfcMcpEXzuAs{-=g8V%tOtrn%|a$n3G;H2&T)SJg3G*OvlnEel2Cizq;ue(GW8OFY!OFwaH2etSedHeyG68iz6O`AhUsH?*!xnK(e2VBYYd=fmD4?(t@OI=3HEb#TT;~5W~G)Xj%a8rA&^l`j`r3($WNW_ z;b&or0pr5>y`<`Mqd(o37WP%$VJivVNen5fGX;EyxxN~P^-!uYxqj7gGc^=l>_+)j zER$;Bar>rNmAY-S82Bl=d{sFbeHzwTCR5jn+22HiJuE7eNS-M9p+?5Yv*nd7bLVpnlbTbn=+DiJ3h%@*cv#;{9F4w>H>k&k!8}VK zOMr>T5?&vC?Ai2|cFUo@*HZuQC+_P+aGG!Q7YG_su%_P_j`yKf_odeImQuG$Ka}cV zIN|F6kFQ)xF5mn2Iu~rz-pjlQSTHu8K`y<}7r3jR_#|EgioUBB{@OkHA=eb)dBJat zizTJ!{a1$)PIE+~XD-sK`4;dLLN_rkUhyhC=??z&%vS9-gqpdZrJbZD7WCKse17q9 z4TBZi#p3RG3*-9M^Nky9A$o2{Bv?*be*_H$``m2s!gI}VnRwl5Uv&uxxQ7I89s?w21a%{!= z)Pi_rjy!Zqa(5-Cu1<2D5YoSB-%r=sftkYvt{>` zKSs17jhLGY_k-$rZ%slc-Ylsxj2DNPaYXIN3uXO~ZB;`DXO^Pn`564n@pN6`3BPHy zWM03`ufIufbN7*Gi?=DfEJ;Wt3K8kleqT?K_XAa=DSm{<@!k7N70Tf&UuMSP3}1Bc zOd!=Iuai!^i;8f3UX&Ep89fQ{SyUWw0&sOfW7%xko}?oDbEhJG1bkaDiETF9|E__I zQ(SlmEY?cSoi%JBfj#XdlqDDGt1tqdp`$IFZt+qSw7iHFWZy-)=)4#k(8c9iEu7%( zxoYK%t6OT1w;4I`Eg+9P&=c;rtdHMDy|bgt8|BW*aHYxF5!c=YOXzH0@vSagW!SMB z#^>gJ{pHzpG4w6($x~6VC(DbRWkg;)`%%N z(WMZYn&_4MA+uGjC_+itv+Ac`?myGL`wjAcqW`b2%%R_$+J>IAXjSwEcNft8 zN2?BFO10WhCztL$z9yqS^PEgd%rv*=f)Z*3KVg-hbrJdi`dL^|f>@xCL9;Jg6?bir zo45INMX~MB2tk!Ojp>&@sCJ7-+1$8Ftq5XMn5YD|;?LKTBE_T<`JKqIeWSuEL?7p4 zrut~zRB+ciN!(LcXfjmHq)#|;2oi$y*DG*6LPdbTY^;9~Hgl`oj%4{}??t9~v`%%h zbY(gC&j(7Wi6E~M+g%o?rivcpj>}4Ic%SX)@}8%8SLsVor-_-Zyul> z&EtrGOnsYhpX;@z3Q&m;zJFjWWDt>Zitfp1!T;sWQPz{>&&R|jmWB! zqXO=ui`CQJfEXKdpJI*vL%lP1zY03{AV|t(%o^sNn+Huay3UBknS>(^% zQd~zn&k)J89edyQ^5)*D2G_T|4?m{)+{c#y+3siFReG2HZsy{(u2yA8sbrRLno{OV z%>Jc!$5Ly8=@eB~r^OkRi0ECu-o+%%PZkjXZ2~=PH+6kBwUa7)4px71&iC0x%a|d! zy=<55S~k}@Ob(@%dsXWPWa9>Ig7TXs<-D)-rxra@csN&U&IIaM!Hnt0JcFaM{dHEJ z$r?95hOmx>Z@tQoVstK2mGRt$a2EAfiY5ro62A6B7;R!*RtjjzCn6LVoUmx(-7;sc)zZv;1ElWSEg>dXM$^}Qac7;lLrjbRTl046p-xikrm5*#J@dnV zxq`a>$H%}~*A7ORCLyY%h?qQ4+uLVB?vuI^HL?eXoBmY3waOK-(gylIyz=Y&&eX%= z46hX)hHo6eS3R4{-ZAJBKXMADyaUmUh`cE>7`KCcWAV`ao~@VgKT|%d)h95W8{XWN-VC}J`yf8i zlXjiMyv}}Q33--5CoE4V{#t>?Ie@-CAIt|eIOgRh1{9wL=q1wLz(;>8mbP|Th;D(w zaGghkeN@yg11B=>J43sR=VWt3eEW6aop zi<%KQ`qRzG?AD!S&%9tJRMj)KCMx4MU%glIq?WpL>zBi}t6>gZ>0J11>4!|Hdg*rW zNX%yU{v*}FL`F7fDZ3H0=sx>tC7%v>RM;}lnAJ;Po>GWrTUxBJ5nFV8!e=R^V`5oN zd)it|_{NFMExT!oaweor_p+y^7&6IiBB(*f&PCzAO}p}yxWktlpB{VvR~ZiV!jARo z&2ub=Miqaac}wn>BSIhg+tuHQln0}^G5dw5$``!2_kq6nVE*_65U{O1b}A?_xH|H3c#csJX=RqEyKZGb4;h~Y|AMX_B1pX`YV>M z$LZJ4JPpv*TSkk_*q1Y$2RsWwW?<{pu2_s!wWZRe)W++GN{a{8Z22Y*S^>&@heldK z?Ob6G{U_y9nQ|`BtV~AJzUF31gSPA?E^TH*;dTS^{x21*y;`!QbhW8&s(lVtc;AAH zriR9D+^(u0Hk`11IGa@QIIm^3Hr2>EQ>CUiL@$t_as9#gbmZ{x(U@iKzTab4-uTJN z{Li^l z`pYB6AC&GWjBxmiKM0-|FD?Lo;0P>2WY2$YusML-|3?*pfY5%s*#*D(tM~m=?_bpg z0yrdX&)vg!<093()%I4vukqWG;1Y*m@>xqs*o~b>njw0Ptt;B`H3F*nsj`L3j(W>csp#9E(u)h+YLkw8wW){4YOLY{K(w!Y9Oqlh!F zNMt%Jrh1H|>ubpCrU>XXmdx9LW9NJD%f(kK(inDZ8uK*{y;YfT)WLxQQllm5QS#BB z<&H#u!8HvY!dgeuKDTfFg-X`Nt+- zvym5Roaq2K{EGPQk3UNY2%E3_Wve?8H{gF>Qnv@fd-$Jh=Rbcjo6X4a+wxqKJl+IfRK1s-27N#&+m%9}=wlOs(wFiFR82YAD5>~(e zdo9}i94KKS3~fYS6iE$TDPRHR>gs80^R|f*k+Du95YVW|ug<&IGznx-a@*7;FSZY> zw0~E<9lEO7KqvIC(A(ewqc(H%oGK)dtbu5oZ?9KS!ypaF_@(kb!&pL*_Si!v1&Hhp zAySie<)-`TtAYdjd`%%tT{+BsLXgFyEUeb&&Y(VAlvU*&%hmypb#2~csQk~!{)qz# zC+{}(Y-Vo8Z|6~*Yu}&pQgI21s=4rZ+aKLynTraL8GA-5iWeFMMUaWSs-7`O9}Thr`Q6EO*?xVbnd^r!L)3&VxhEf>3qb9)caBR%j~ z#AbCYWOlM!d?6x}hL`5rNubXEL-`EPI2yY?l~ZJgr7@3!3?3z=QPK+U&_)D@T3UKS zPBc-7`@H0uT8d zsp|z(Co!viM=Xh*azPv5nW_mSha+GlN3Age=J=!nq8yxaM^h!`=o^WqmcaAR)b+g@ z5Badd+k1)v$Faqn?)MJn6hfa;pFQgAxo0u?9UrQn|0?op-u!TMm6>se2Z08b%mH42ja zy{owktRRIqFGd%)PZEgtu=MGX(`3@NPN846mcXuWbee7bJS6dk$6-T%>9O*+^ilJ) zPpE&)G|=9z30S>Rz$uf+t=p`VRq0b+S-FTivdy9gdA!hjmTBaNbM3B;7)aP7SEnFd zez12v(g7+f-2=8^>f=H|l-Rjx zku97IJtlJ~t|ZbwzU!5&J$$KMQU7H(1?TN!o}39$hW-lIV~#-}34cu>oUBGNuOrK+ z%J0IdJW+-6@n-Ct5 z-TvXmjzatDU_bCmJMCRI$YFg4F z)i7`rC>z4LkPSJnu8zeOdVJR0cz8@NC5Xe(70Qal!zgb=_s z42xu0(sk@mw>_j)`@!kEk+SULJF*->x#{2~kqB#kb*#MNC5o->j2|%*W2R<(eBROc z9wNof06pmdm=r3h0mB~d5iF!2%XP@N`Rq>1A#6isSd2a5XSX>@xM>=FcNj}n%EunN z*570bb9jqc-#FOCb1-Y&NjSk9(7dPv4Qzzj&}lHHh1s#A`b3kC~R)@ZIcC=9tbYV>UH$Jh!G;?!AIN z1J-uGJ~gvQzSqq9#JY+}Vp!K0N0j?-Y7zl<>2Rl*-Vad68f&e9eYGOqT-DbD2{{Zy zP|r50$uZg{Zx!XbC|>ADo1g4w(>w;>+vk|opNEINnpbaMwOZcdUbi=u7Dk&Ua`mv% z4A9^Y6l#r-6(J%T+$Z#LS_^Fzy_M`peu}1`2Y9;+HsAIjqe`}lorQciFFX4g{ZAPAr^`h@du;egwI0A!}W(1SvQE}pqqpZ(au-WtJzE@Losn!0mg~^FPpiiE7 zEP}SxNy9NWi)=6tK-Jo_?U%e>&h5r$AsrHs}FdhHvKp~BUk#<`mxmKuL4V!$tG}JodSUNzb$&p`WG!-k9 zNfhW>IuZ(;m8n=_U7jG5*8)%7eYw6wTMD_j&_+sIjL*}4rE7X+W35fdTx(gk#soRD zN&j$PCH$;UAv_LK^@neTF`s(Y#kJ*rro*ubp?KmK@uwT+OnRNKG`G{HB22AT%EcfK z&NppTuKq?*m3HJ^EGo2VBE4XnazFioK8|T)t;>N3cdnKb27Q;_9%QxS%kKRqY&kUPLgR(O=JwbNbDJdqUD)#=YE!rPWmnH0&QzF662J|~oF()Q& ztvcGwb3&FJ?(N!2weOI1F%3zlap#9F&u_rG?iBHsBHR} zn5rK40#^C4D8H*g55>$Z+YRb3W?f8vv!v97Q{)h>D5=u;EWKvrDePTTnG$iwER1@G zdf+W7Y_8CIn#s$?Dcztg2|sl=ZqLC8N1@ijr@xk(=nd06TQ0NgwgqNw4(5U8@J5e{ zqq}%7r8~hQAAN)Gw2#9AQH*U|h2%W9vE{SWIAmQbJN@-=uhtFKMylE;zEE>xeU%&P zYv10wC&^RFD7|S(>DTue&!ADyNa+ZYzNDI?WuVl=OqYT!QlP_Jigf$-@VG?%s+tVg zMwR9wU9T){bU>z58<@ONB)s5ku3Z}D@$fT>Wgn2IBK{CMmtx|5Mb&l)7^iI3ERQ$H z9$|_1>%TsE>33=(!5HAzNqrV+`p7LfvqVF* zWvYV9saEHNvrGpo2_Rlk)}qs!Vgar?*r}T@EssGtqywAOPVL7JSC+h6E$M%t^0wir zy%?RYOj+^Ju^lZGd}W3y86X#FelV4&Q9UcrVo=SMuui{F#-(3=G$$ddZWCEFKO|R0 z*%)*|$*%o?dn3oj$fTT>T1EyBQKe~t&gWF(L}&&eq&t2jYSVvxv znc?z>QI%C^sV?3|f_v(RLx-RWZBkfv?Onwlj=3&9QySx_dR>xQ>fQVSgtuX|OofGq zlSDl-ho5;qGR2~@WNucbGH^77LM4-=LOqiN=s*J`hT2#6j|>+(mxmKbre4?`Bj=if zPDW!)z!h{c-YtDJ*FP#dMeo_FPvUW?*No|P$2#qoNI-F(h|@Bx)`B|ee4++rD6!;d z!Ey|z)Q})NvxjQ?vt034jCl3~#^w8sd$0>_&dWeGYPJ_hM=>pk8?U?>G8`?HNRx?? zNYOFZyVn}$p9g_1@T=)cq5H9=sfF=?`$C9^!^!CkWMz#V$K$@t+Ulf!fxL=L1Lyj9 z6OBQ;H5%;bt9<&1b;jSilsCFFu%rqMmG{lF#T0Il)#q$sR$i>}Pi4f@`#0Z|=+LYYF;|1^RX9q87N{_) zXH0vg1Oy~Ar;Oqn!GUUE4eR&K%JkD6Qb$-fb&_#z#B$g2#5s=pEkRb^pY!G#_>H$G zNKLby>ZoiP=tdWhT4@<9^xgCz(6ukAm3CyK7zKn?-RJvWwN{0$J`?$pf1sg+$KC@_$UR@e~%>5)yF2l-lbAbiJFyqwy*xiSkU?tSJ?&e=X1CYNLFG z9sVPFR#o0<%{4D423SU4C7>iLl)HYOWR&rdF)3vjJ!)X){YXTSQNxX@^Csb-75d>% zGpD*_D?%F)=ZQrw#K^Ti1;=Pd735n)L7cljD6tg@&s92)PN`sEX)C4U& z0!wGqyO6|AY_D4IZ1XrKX2V9~nydv&Gp%!C?DV~AN7Rkww{#nV=`QJ^?paLIpnl6e z%`sR!A(s2MbO57qm~E3(#_-xpb-C*A#*DnIG)x7V38IE;!)Yx+A9coXBvMWtz38_i zUnFa+81UrzK4%@)Pc%Dhm`Rq!K64sX_ctgwh$+!4;+BbcoP50WJ+`o07Cin@Xxs9! zXo{8Xf}|qDD#mqy#(d)2UQmE{)UkqyL-APPV3hye*NOkCjdWNrm(%~VJN95 zlHXl?zc~-Fw?Pp>e<@`xf$a;yt&b}f;-!PuQ~n*BU$%fYbB79YNLh9%dI#>qHdu7HDjS|O|pdbjLQSqc(5qi6`qU^iG)n4D2ibGrn z5|NcG@ZzTMMalKf8|A0VbRJ1MDazUEm&kUpJVf;d_D;}qjlc(fKDYCJOl-T8)I#$P5Q}XI!KlH$q3;6qSf~3_hovuT+U`2uFI@ ze@9!UFU^?L>wI5WkKK$$RoqKe{24h@dzx?g*aMQb?w3lqP++9M=$ z+ZewBQS}tDxRF*FppmMF!J&E@Y}-v#n4C)yo-Thb*?3OsDBhu6QecxVw8GXvCmSeq zm!V#GScf(5_`5!L{R*ncb$uH_%aYxZh8${H5^8-rX1{Cs@QD;*s#^BFhPsqgMX6wg zM0GEL{^+S|ujXwZCx*@Z=ll6{ulD?NUchCfLT3;)`jzD-GBsCj--i(mHz7s3QWu&k zB?*6QMk4g+eN^+ILA_kV1)-2d34wd-bfFnswwPFGlXbIs?gAOdUOSm~A=BOc4 zI-zMo!n~72g9!O%8x$6qxh`zFl~h{odiC0+n9yQ_Pt=R6j0F_1wse2b!{5?v$t6n$ z6z;Q^4`9qQ7k9+2k!hg}lA;4{J2)Zp$%SN!EfS>=QR;8rBxK<6Q;x)1;3SH2kg4t^AbQ3Gio{Wnk`j+?Lv|1* zUayBdf`;H>{~rLy6N1A9{~KT4a1I%q^b$_~A25?2568HJ{|kVc$X;H;X$3p})DJiR zmmYx6GeG`5zw|R83G(8fGM>yAE>iHY-=IGMyzBZjJy@I#HH*o(ZT)?>u-u{gqiT=e1m%Igy zARzor{g*J$EgW9F!bxaco&wIGZh3~=dK+k#bvwuRvV|cM9y!x?g;4kXTb@IgaLB&g@7bOU42n+}~ zUs1li{`MzIX7ieL6@F&PLi#_g{+n4u4S@imy%R_MA3C}{6pQ~<@#XcT)oWHgli0Ks zSS!Ytw9``Hi$T%LR`*v*uhKP&AH)0q;UwsPa1{V2U4oO|{=@ix`T#!>82Il8@?TC# k5S|zJ7cczHbJux^;#1ce!YycK_A>$iO8^bw%PWNc1CG!hv;Y7A diff --git a/tests/policy_engine/test_policy.py b/tests/policy_engine/test_policy.py index b38346c22..507bd5af8 100644 --- a/tests/policy_engine/test_policy.py +++ b/tests/policy_engine/test_policy.py @@ -40,7 +40,7 @@ def test_eval_policy(database_setup) -> None: # type: ignore # pylint: disable= "component_satisfies_policy": [ [ "1", - "pkg:github.com/slsa-framework/slsa-verifier@fc50b662fcfeeeb0e97243554b47d9b20b14efac", + "pkg:github.com/slsa-framework/slsa-verifier@v2.6.0", "trusted_builder", ] ], @@ -48,12 +48,12 @@ def test_eval_policy(database_setup) -> None: # type: ignore # pylint: disable= "component_violates_policy": [ [ "1", - "pkg:github.com/slsa-framework/slsa-verifier@fc50b662fcfeeeb0e97243554b47d9b20b14efac", + "pkg:github.com/slsa-framework/slsa-verifier@v2.6.0", "aggregate_l4", ], [ "1", - "pkg:github.com/slsa-framework/slsa-verifier@fc50b662fcfeeeb0e97243554b47d9b20b14efac", + "pkg:github.com/slsa-framework/slsa-verifier@v2.6.0", "aggregate_l2", ], ],