Skip to content

feat: add pypi attestation discovery#1067

Merged
benmss merged 15 commits into
mainfrom
947-discover-pypi-attestation
May 12, 2025
Merged

feat: add pypi attestation discovery#1067
benmss merged 15 commits into
mainfrom
947-discover-pypi-attestation

Conversation

@benmss

@benmss benmss commented Apr 24, 2025

Copy link
Copy Markdown
Contributor

Summary

This PR adds discovery of PyPI attestation. URLs to these attestation files are sought via the deps.dev API.

Description of changes

  • DepsDevRepoFinder was updated to use the DepsDevService, ensuring consistent and easily configurable use of the API
  • Tests were added for DepsDevRepoFinder functions (they were not added previously), including for the functions that PyPI attestation discovery relies upon.
  • PyPI attestations do not have a predicate. The pypi-attestation is used to extract information from the attestation certificate. This information is coerced into a predicate for use elsewhere within Macaron.
  • Addition of an integration test case using the ultralytics Python library as its target.

Related issues

Closes #947

@benmss benmss self-assigned this Apr 24, 2025
@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Apr 24, 2025
@benmss benmss force-pushed the 947-discover-pypi-attestation branch 2 times, most recently from 2df212b to 6d7cf95 Compare April 24, 2025 06:31
@benmss benmss marked this pull request as ready for review April 24, 2025 13:00
@benmss benmss requested review from behnazh-w and tromai as code owners April 24, 2025 13:00
tromai
tromai reviewed Apr 29, 2025
View reviewed changes
Comment thread src/macaron/provenance/provenance_extractor.py
tromai
tromai reviewed Apr 30, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/deps_dev.py Outdated
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/provenance/provenance_finder.py Outdated
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/deps_dev.py Outdated
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/deps_dev.py Outdated
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/deps_dev.py Outdated
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/deps_dev.py Outdated
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/repo_finder/repo_finder_deps_dev.py Outdated
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/repo_finder/repo_finder_deps_dev.py
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/repo_finder/repo_finder_deps_dev.py
tromai
tromai reviewed May 2, 2025
View reviewed changes
Comment thread src/macaron/repo_finder/repo_finder_deps_dev.py
tromai
tromai reviewed May 6, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py Outdated
tromai
tromai reviewed May 6, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py
tromai
tromai reviewed May 6, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py Outdated
tromai
tromai reviewed May 6, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py Outdated
tromai
tromai reviewed May 6, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py Outdated
tromai
tromai reviewed May 6, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py Outdated
tromai
tromai reviewed May 6, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py Outdated
tromai
tromai reviewed May 6, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py Outdated
tromai
tromai reviewed May 7, 2025
View reviewed changes
Comment thread tests/repo_finder/test_repo_finder_deps_dev.py
tromai
tromai reviewed May 7, 2025
View reviewed changes
Comment thread tests/repo_finder/test_repo_finder_deps_dev.py Outdated
tromai
tromai reviewed May 7, 2025
View reviewed changes
Comment thread tests/repo_finder/test_repo_finder_deps_dev.py Outdated
tromai
tromai suggested changes May 7, 2025
View reviewed changes

@tromai tromai left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have finished my round of review. Thank you.

tromai
tromai reviewed May 8, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/provenance/loader.py Outdated
tromai
tromai previously approved these changes May 9, 2025
View reviewed changes

@tromai tromai left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for addressing the feedbacks.

behnazh-w
behnazh-w previously approved these changes May 12, 2025
View reviewed changes
@benmss benmss force-pushed the 947-discover-pypi-attestation branch from aee8b44 to 2620a0a Compare May 12, 2025 07:24
benmss added 15 commits May 12, 2025 20:22
@benmss
feat: add pypi attestation discovery
8db88a2 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: keep encoding of purls consistent
53d5807 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: add config to repo finder tests
8797d7a 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: use SplitResult type hint
b6b7fd3 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: replace library used for x509 extraction
c670305 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: update pyproject.toml
b2cfab1 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: remove comment
4944928 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: address PR feedback
198c853 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: minor fix
446b1b4 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: minor fix
b78a06d 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: add custom predicate doc string
424a44c 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: address PR feedback
0d7280a 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: add example PURL endpoint
25d0efb 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: fix predicate check
545a603 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: remove github attestation related change
57f4346 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss dismissed stale reviews from behnazh-w and tromai via 57f4346 May 12, 2025 10:24
@benmss benmss force-pushed the 947-discover-pypi-attestation branch from 2620a0a to 57f4346 Compare May 12, 2025 10:24
@benmss benmss merged commit 4b20c18 into main May 12, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

+1 more reviewer

@tromai tromai tromai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@benmss benmss

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Obtain PyPI Publish Attestation

3 participants

@benmss @behnazh-w @tromai