macaron icon indicating copy to clipboard operation
macaron copied to clipboard

Published 20 hours ago verified publisher icon oracle

Unintuitive behavior of the provenance expectation check

Open nathanwn opened this issue 1 year ago • 2 comments

Reproduction

We use the macaron analyze command under the use case of "user providing both a PackageURL to identify a software component and a repo URL explicitly".

macaron analyze \
  --package-url pkg:maven/io.micronaut/[email protected] \
  --repo-path https://github.com/micronaut-projects/micronaut-test \
  --digest 0a43363f7562534063e06e3f2a328f09a066b547 \
  --skip-deps \

Macaron then does not recognize the following expectation to correspond to the software component being analyzed:

{
  target: "pkg:maven/io.micronaut/[email protected]",
  predicate: {
    builder: {
      id: =~"^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml.*"
    }
  }
}

However, after removing the version part from the PURL in the target field, Macaron now recognizes this expectation to correspond to the software component.

 {
-  target: "pkg:maven/io.micronaut/[email protected]",
+  target: "pkg:maven/io.micronaut/micronaut-test",

This is undesirable from a user's perspective because it is not clear why the same PURL can be specified in the analyze command, but not in the expectation.

Cause

Macaron stores expectations for all analysis targets in a dictionary, in which each key is a PURL identifying a software component, and each value is the corresponding provenance expectation for that software component.

Before a pair of (PURL, expectation) is added to this dictionary, the version part of the PURL (starting from the @ character), is stripped away from the PURL.

Other unexpected details

nathanwn avatar Jan 09 '24 04:01 nathanwn

Thanks for reporting this issue. Part of this behavior is actually intended:

However, after removing the version part from the PURL in the target field, Macaron now recognizes this expectation to correspond to the software component.

We don't want to require the version string to be specified in the expectation. Otherwise, the expectation file needs to be updated for each artifact version.

behnazh-w avatar Jan 09 '24 04:01 behnazh-w

I wonder if we could provide a regex option to let users decide if they want to keep the target field version-agnostic. It may look like this, where =~ is the Cue regex matching operator:

{
  target: =~"pkg:maven/io.micronaut/micronaut-test.*",
  ...

This may require changes to how the expectation is evaluated.

nathanwn avatar Jan 09 '24 06:01 nathanwn