refactor: accept provenance data in artifact pipeline check

[behnazh-w]

Refactoring the artifact pipeline detection check

• Renames mcn_infer_artifact_pipeline_1 to mcn_find_artifact_pipeline_1.
• This check can support all the package registries now.
• Modifies the check fact table schema by adding new columns and allowing some existing columns to be nullable. This change enables us to store the reasons for check failures, such as when a GitHub workflow run is deleted, which may result in some previous columns lacking values.
• Improve the heusristics, e.g., if an artifact is published before the corresponding code is committed, there cannot be a CI pipeline that triggered the publishing.
• This check depends on the deploy command identified by the mcn_build_as_code_1 check. If a deploy command is detected, this check will attempt to locate a successful CI pipeline that triggered the step containing the deploy command.
• When a verifiable provenance is found for an artifact, we use it to obtain the pipeline trigger. Otherwise, we use heuristics to find the triggering pipeline.

Improvements to mcn_build_as_code_1

• If a provenance is found, we obtain the workflow that has triggered the artifact release.
• Add support for Reusable GitHub Actions that perform automatic deployment. Since we do not analyze the external Reusable GitHub Actions, we use an allow list of approved Actions.
• A new function, infer_confidence_deploy_workflow is added to BaseBuildTool to infer the confidence for such Reusable workflows.

The store_inferred_build_info_results function

• Renamed store_inferred_provenance to store_inferred_build_info_results.
• To avoid confusion, we avoid using the term inferred provenance here and instead simplify store build related information in the context object provided to checks.
• CIInfo["provenances"] is also renamed to CIInfo["build_info_results"].

Provenance Extractor

• New abstractions added to the provenance extractor to reuse the logic for extracting information such as ProvenanceBuildDefinition and ProvenancePredicate. With these new abstractions, we don't need to hardcode the expected buildType value while processing a provenance.

find_publish_timestamp

• Added an API that can obtain the artifact timestamp for all the supported package registries.
• By default we use deps.dev to obtain the timestamp except for Maven artifacts because we have observed that Maven Central has more accurate results.
• Decoupled the Maven Central search API from the repository, making the hostname fully configurable to enable offline testing with a localhost server.

Tutorial and integration tests

• Changed the Detecting a malicious Java dependency uploaded manually to Maven Central tutorial to Detecting Java dependencies manually uploaded to Maven Central
• Used log4j-core artifact instead of guava, which has an automated deployment workflow.
• Fixed the integration tests and added a new one for log4j-core.

[tromai]

Should this entry belong to builder.maven.ci.deploy instead?

[tromai]

I wonder why did we decide to increase the publish time range ? (e.g in what case the time range of 3600 is not enough)

[tromai]

Should we rename this file name to reflect the new name of the check ?

[tromai]

Does deps.dev have any reference about the format of this version field?. It would be good to include that here if that page is available.

[tromai]

If the default value of registry_url is https://api.devs.dev, could we make the type of this parameters registry_url: str = "https://api.devs.dev"?

[tromai]

The encode function here allows you to specify the set of safe characters that will not be encoded (see here). If we replace all / anyway, should we leverage this safe parameter?

[tromai]

If the timestamp value is already in ISO 8601 format, why do we need to perform extra modification on it before providing it to datetime.fromisoformat.

[tromai]

I wonder in what scenario OverflowError and OSError happens.
As far as I know, datetime.fromisoformat raises:

• TypeError if the input is not a string.
• ValueError if the date is in correct.

[tromai]

nit: Should we document this exception if it's not raise in this implementation ? 🤔

[tromai]

I have some comments on this file that we don't need to fix it in this PR:

• On line 249, we don't use the utility json extract method. We might need to consider replacing it.
• On line 233, we can consider updating the if conditions similar to this discussion - refactor: accept provenance data in artifact pipeline check #872 (comment)

[tromai]

purl_object.version has type str | None. If it's none the last query param would be 'v:None'. I don't think it has the same behavior as the old implementation. In the old implementation, if version is None, no extra query param is added. I wonder if this new behavior is intended?

[tromai]

It's mentioned in the PR description that CIInfo["provenances"] is also renamed to CIInfo["build_info_results"]. Are we planning to remove this provenances attribute here too?

[tromai]

Suggested change

	# or Reusable GitHub Action to be be a GitHubJobNode.
	if not isinstance(job, GitHubJobNode):
	continue
	# or Reusable GitHub Action to be a GitHubJobNode.
	if not isinstance(job, GitHubJobNode):
	continue

[tromai]

It might be good to document why we have two different way to extract the build type

• json_extract(statement["predicate"], ["buildType"], str)
• json_extract(statement["predicate"], ["buildDefinition", "buildType"], str)

[tromai]

A minor improvement could be that we differentiate between 2 cases that we raise an exception:

• There is no build definition, happens when ProvenancePredicate.get_build_type(statement) returns None.
• There is a build definition, but we don't have support for its value (the condition build_def.expected_build_type == build_type in the for loop never meet).

Right now we only raise one kind of exception message for both cases.

[tromai]

I wonder if these or some of these abstractions should be put within the package src/macaron/slsa_analyzer/provenance as they are closely related to the provenance format 🤔 ?
I think only find_build_def and get_build_type should remain here as a static function.

[tromai]

I think catching NotImplementedError here has a strong indication that the interface of find_publish_timestamp from subtype of PackageRegistry will raise NotImplementedError. I believe this is not the case because only Jfrog Maven registry will raise NotImplementedError. A better way to communicate this would be to explicitly skip running find_publish_timestamp if registry_info is of type JFrogMavenRegistry.

        for registry_info in ctx.dynamic_data["package_registries"]:
            if isinstance(registry_info.package_registry, JfrogMavenRegistry):
                # We currently don't support this.
                continue 
            if registry_info.build_tool.purl_type == ctx.component.type:
                try:
                    artifact_published_date = registry_info.package_registry.find_publish_timestamp(ctx.component.purl)
                    break
                except InvalidHTTPResponseError as error:
                    logger.debug(error)

What do you think?

This is because I think NotImplementedError should only be raised when we mistakenly call a method that is not implemented (similar to an unexpected critical error).

[tromai]

Should we remove these 2 lines as this is a concrete method 🤔 ?
The same comment applies for SLSAGithubActionsBuildDefinitionV1.get_build_invocation

[tromai]

I'm not clear about the difference between invocation URL and identifier. Does it mean that if the second element of the returned tuple is not None, it could be an URL or an arbitrary string as the "identifier" of the workflow run?

[tromai]

Suggested change

	logger.debug("Artifact published at %s is older than 410 days.", timestamp)
	logger.debug("Artifact published at %s is older than 400 days.", timestamp)

[tromai]

I have finished my review. Thanks.
Overall, there isn't any major changes needs. Most of my comments are for minor improvements/nit picking.