feat: add a new check to report the build tool (#914)

This pull request adds a new check that identifies whether a supported build tool configuration exists in the associated source code repository of a software component.

Signed-off-by: behnazh-w <[email protected]>

Author: behnazh-w

docs/source/index.rst

@@ -53,6 +53,9 @@ the requirements that are currently supported by Macaron.
    * - Check ID
      - SLSA requirement
      - Concrete check
+   * - ``mcn_build_tool_1``
+     - **Build tool exists** - The source code repository includes configurations for a supported build tool used to produce the software component.
+     - Detect the build tool used in the source code repository to build the software component.
    * - ``mcn_build_script_1``
      - **Scripted build** - All build steps were fully defined in a “build script”.
      - Identify and validate build script(s).

src/macaron/slsa_analyzer/checks/build_tool_check.py

@@ -0,0 +1,85 @@
+# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""This module contains the implementation of the build tool detection check."""
+
+
+import logging
+
+from sqlalchemy import ForeignKey, String
+from sqlalchemy.orm import Mapped, mapped_column
+
+from macaron.database.table_definitions import CheckFacts
+from macaron.slsa_analyzer.analyze_context import AnalyzeContext
+from macaron.slsa_analyzer.checks.base_check import BaseCheck, CheckResultType
+from macaron.slsa_analyzer.checks.check_result import CheckResultData, Confidence, JustificationType
+from macaron.slsa_analyzer.registry import registry
+from macaron.slsa_analyzer.slsa_req import ReqName
+
+logger: logging.Logger = logging.getLogger(__name__)
+
+
+class BuildToolFacts(CheckFacts):
+    """The ORM mapping for the facts collected by the build tool check."""
+
+    __tablename__ = "_build_tool_check"
+
+    #: The primary key.
+    id: Mapped[int] = mapped_column(ForeignKey("_check_facts.id"), primary_key=True)  # noqa: A003
+
+    #: The build tool name.
+    build_tool_name: Mapped[str] = mapped_column(String, nullable=False, info={"justification": JustificationType.TEXT})
+
+    #: The language of the artifact built by build tool.
+    language: Mapped[str] = mapped_column(String, nullable=False, info={"justification": JustificationType.TEXT})
+
+    __mapper_args__ = {
+        "polymorphic_identity": "_build_tool_check",
+    }
+
+
+class BuildToolCheck(BaseCheck):
+    """This check detects the build tool used in the source code repository to build the software component."""
+
+    def __init__(self) -> None:
+        """Initialize instance."""
+        check_id = "mcn_build_tool_1"
+        description = "Detect the build tool used in the source code repository to build the software component."
+        depends_on: list[tuple[str, CheckResultType]] = [("mcn_version_control_system_1", CheckResultType.PASSED)]
+        eval_reqs = [ReqName.SCRIPTED_BUILD]
+        super().__init__(check_id=check_id, description=description, depends_on=depends_on, eval_reqs=eval_reqs)
+
+    def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
+        """Implement the check in this method.
+
+        Parameters
+        ----------
+        ctx : AnalyzeContext
+            The object containing processed data for the target repo.
+
+        Returns
+        -------
+        CheckResultData
+            The result of the check.
+        """
+        if not ctx.component.repository:
+            logger.info("Unable to find a Git repository for %s", ctx.component.purl)
+            return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED)
+
+        build_tools = ctx.dynamic_data["build_spec"]["tools"]
+        if not build_tools:
+            return CheckResultData(result_tables=[], result_type=CheckResultType.FAILED)
+
+        result_tables: list[CheckFacts] = []
+        for tool in build_tools:
+            result_tables.append(
+                BuildToolFacts(build_tool_name=tool.name, language=tool.language.value, confidence=Confidence.HIGH)
+            )
+
+        return CheckResultData(
+            result_tables=result_tables,
+            result_type=CheckResultType.PASSED,
+        )
+
+
+registry.register(BuildToolCheck())

src/macaron/slsa_analyzer/registry.py

@@ -147,9 +147,10 @@ def _validate_check(check: Any) -> bool:
             True if check is valid, else False.
         """
         if not isinstance(check, BaseCheck):
+            class_name = check.__name__ if isinstance(check, type) else type(check).__name__
             logger.error(
-                "The registered Check is of type %s. Please register a child class of BaseCheck.",
-                type(check).__name__,
+                "The registered Check %s is not a valid instance of BaseCheck.",
+                class_name,
             )
             return False
 

tests/integration/cases/facebook_yoga_yarn_classic/policy.dl

@@ -8,6 +8,9 @@ Policy("test_policy", component_id, "") :-
     check_passed(component_id, "mcn_build_script_1"),
     check_passed(component_id, "mcn_build_service_1"),
     check_passed(component_id, "mcn_version_control_system_1"),
+    check_passed(component_id, "mcn_build_tool_1"),
+    build_tool_check(yarn_id, "yarn", "javascript"),
+    check_facts(yarn_id, _, component_id,_,_),
     check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
     check_failed(component_id, "mcn_provenance_available_1"),
     check_failed(component_id, "mcn_provenance_derived_commit_1"),

tests/integration/cases/google_guava/policy.dl

@@ -12,6 +12,9 @@ Policy("test_policy", component_id, "") :-
     // the logic in the mcn_infer_artifact_pipeline_1 check.
     check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
     check_passed(component_id, "mcn_version_control_system_1"),
+    check_passed(component_id, "mcn_build_tool_1"),
+    build_tool_check(maven_id, "maven", "java"),
+    check_facts(maven_id, _, component_id,_,_),
     check_failed(component_id, "mcn_provenance_available_1"),
     check_failed(component_id, "mcn_provenance_derived_commit_1"),
     check_failed(component_id, "mcn_provenance_derived_repo_1"),

tests/integration/cases/jackson_databind_with_purl_and_no_deps/jackson-databind.dl

@@ -8,6 +8,9 @@ Policy("test_policy", component_id, "") :-
     check_passed(component_id, "mcn_build_script_1"),
     check_passed(component_id, "mcn_build_service_1"),
     check_passed(component_id, "mcn_version_control_system_1"),
+    check_passed(component_id, "mcn_build_tool_1"),
+    build_tool_check(maven_id, "maven", "java"),
+    check_facts(maven_id, _, component_id,_,_),
     check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
     check_failed(component_id, "mcn_provenance_available_1"),
     check_failed(component_id, "mcn_provenance_derived_commit_1"),

tests/integration/cases/micronaut-projects_micronaut-test/micronaut-test.dl

@@ -10,6 +10,9 @@ Policy("test_policy", component_id, "") :-
     check_passed(component_id, "mcn_version_control_system_1"),
     check_passed(component_id, "mcn_provenance_available_1"),
     check_passed(component_id, "mcn_provenance_derived_repo_1"),
+    check_passed(component_id, "mcn_build_tool_1"),
+    build_tool_check(gradle_id, "gradle", "java"),
+    check_facts(gradle_id, _, component_id,_,_),
     check_passed(component_id, "mcn_provenance_level_three_1"),
     check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
     check_failed(component_id, "mcn_provenance_derived_commit_1"),

tests/integration/cases/slsa-framework_slsa-verifier/policy.dl

@@ -9,6 +9,9 @@ Policy("test_policy", component_id, "") :-
     check_passed(component_id, "mcn_build_service_1"),
     check_passed(component_id, "mcn_trusted_builder_level_three_1"),
     check_passed(component_id, "mcn_version_control_system_1"),
+    check_passed(component_id, "mcn_build_tool_1"),
+    build_tool_check(go_id, "go", "go"),
+    check_facts(go_id, _, component_id,_,_),
     check_passed(component_id, "mcn_provenance_available_1"),
     check_passed(component_id, "mcn_provenance_derived_commit_1"),
     check_passed(component_id, "mcn_provenance_derived_repo_1"),

tests/integration/cases/timyarkov_docker_test/policy.dl

@@ -8,6 +8,9 @@ Policy("test_policy", component_id, "") :-
     check_passed(component_id, "mcn_build_script_1"),
     check_passed(component_id, "mcn_build_service_1"),
     check_passed(component_id, "mcn_version_control_system_1"),
+    check_passed(component_id, "mcn_build_tool_1"),
+    build_tool_check(docker_id, "docker", "docker"),
+    check_facts(docker_id, _, component_id,_,_),
     check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
     check_failed(component_id, "mcn_provenance_available_1"),
     check_failed(component_id, "mcn_provenance_derived_commit_1"),

tests/integration/cases/timyarkov_multibuild_test_maven/policy.dl

@@ -8,6 +8,11 @@ Policy("test_policy", component_id, "") :-
     check_passed(component_id, "mcn_build_script_1"),
     check_passed(component_id, "mcn_build_service_1"),
     check_passed(component_id, "mcn_version_control_system_1"),
+    check_passed(component_id, "mcn_build_tool_1"),
+    build_tool_check(gradle_id, "gradle", "java"),
+    check_facts(gradle_id, _, component_id,_,_),
+    build_tool_check(maven_id, "maven", "java"),
+    check_facts(maven_id, _, component_id,_,_),
     check_failed(component_id, "mcn_infer_artifact_pipeline_1"),
     check_failed(component_id, "mcn_provenance_available_1"),
     check_failed(component_id, "mcn_provenance_derived_commit_1"),