chore: minor fixes

Signed-off-by: Ben Selwyn-Smith <[email protected]>

Author: benmss

src/macaron/repo_finder/repo_finder.py

@@ -111,6 +111,8 @@ def find_repo(
     logger.debug("Analyzing %s with Repo Finder: %s", purl, type(repo_finder))
     found_repo, outcome = repo_finder.find_repo(purl)
 
+    print(package_registries_info)
+
     if not found_repo:
         found_repo, outcome = find_repo_alternative(purl, outcome, package_registries_info)
 
@@ -166,7 +168,12 @@ def find_repo_alternative(
         found_repo, outcome = repo_finder_pypi.find_repo(purl, package_registries_info)
 
     if not found_repo:
-        logger.debug("Could not find repository using type specific (%s) methods for PURL: %s", purl.type, purl)
+        logger.debug(
+            "Could not find repository using type specific (%s) methods for PURL %s. Outcome: %s",
+            purl.type,
+            purl,
+            outcome,
+        )
 
     return found_repo, outcome
 

src/macaron/repo_finder/repo_finder_pypi.py

@@ -8,8 +8,8 @@
 
 from macaron.repo_finder.repo_finder_enums import RepoFinderInfo
 from macaron.repo_finder.repo_validator import find_valid_repository_url
-from macaron.slsa_analyzer.package_registry import PyPIRegistry
-from macaron.slsa_analyzer.package_registry.pypi_registry import find_or_create_pypi_asset
+from macaron.slsa_analyzer.package_registry import PACKAGE_REGISTRIES, PyPIRegistry
+from macaron.slsa_analyzer.package_registry.pypi_registry import PyPIPackageJsonAsset, find_or_create_pypi_asset
 from macaron.slsa_analyzer.specs.package_registry_spec import PackageRegistryInfo
 
 logger: logging.Logger = logging.getLogger(__name__)
@@ -44,14 +44,21 @@ def find_repo(
             ),
             None,
         )
-
-    if not pypi_info:
-        return "", RepoFinderInfo.PYPI_NO_REGISTRY
+        if not pypi_info:
+            return "", RepoFinderInfo.PYPI_NO_REGISTRY
 
     if not purl.version:
         return "", RepoFinderInfo.NO_VERSION_PROVIDED
 
-    pypi_asset = find_or_create_pypi_asset(purl.name, purl.version, pypi_info)
+    # Create the asset.
+    if pypi_info:
+        pypi_asset = find_or_create_pypi_asset(purl.name, purl.version, pypi_info)
+    else:
+        # If this function has been reached via find-source, we do not store the asset.
+        pypi_registry = next((registry for registry in PACKAGE_REGISTRIES if isinstance(registry, PyPIRegistry)), None)
+        if not pypi_registry:
+            return "", RepoFinderInfo.PYPI_NO_REGISTRY
+        pypi_asset = PyPIPackageJsonAsset(purl.name, purl.version, False, pypi_registry, {})
 
     if not pypi_asset:
         # This should be unreachable, as the pypi_registry has already been confirmed to be of type PyPIRegistry.

src/macaron/slsa_analyzer/analyzer.py

@@ -76,8 +76,13 @@
 from macaron.slsa_analyzer.package_registry import PACKAGE_REGISTRIES, MavenCentralRegistry, PyPIRegistry
 from macaron.slsa_analyzer.package_registry.pypi_registry import find_or_create_pypi_asset
 from macaron.slsa_analyzer.provenance.expectations.expectation_registry import ExpectationRegistry
-from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, InTotoV01Payload
-from macaron.slsa_analyzer.provenance.loader import load_provenance_payload
+from macaron.slsa_analyzer.provenance.intoto import (
+    InTotoPayload,
+    InTotoV01Payload,
+    ValidateInTotoPayloadError,
+    validate_intoto_payload,
+)
+from macaron.slsa_analyzer.provenance.loader import decode_provenance
 from macaron.slsa_analyzer.provenance.slsa import SLSAProvenanceData
 from macaron.slsa_analyzer.registry import registry
 from macaron.slsa_analyzer.specs.ci_spec import CIInfo
@@ -1102,9 +1107,13 @@ def get_github_attestation_payload(
         if not git_attestation_list:
             return None
 
-        git_attestation: str = git_attestation_list[0]
+        payload = decode_provenance(git_attestation_list[0])
 
-        return load_provenance_payload(git_attestation)
+        try:
+            return validate_intoto_payload(payload)
+        except ValidateInTotoPayloadError as error:
+            logger.debug("Invalid attestation payload: %s", error)
+            return None
 
     def _determine_git_service(self, analyze_ctx: AnalyzeContext) -> BaseGitService:
         """Determine the Git service used by the software component."""

src/macaron/slsa_analyzer/provenance/loader.py

@@ -80,15 +80,33 @@ def _load_provenance_file_content(
         try:
             decompressed_file_content = gzip.decompress(file_content)
             decoded_file_content = decompressed_file_content.decode()
-            provenance = json.loads(decoded_file_content)
+            return decode_provenance(json.loads(decoded_file_content))
         except (gzip.BadGzipFile, EOFError, zlib.error):
             decoded_file_content = file_content.decode()
-            provenance = json.loads(decoded_file_content)
+            return decode_provenance(json.loads(decoded_file_content))
     except (json.JSONDecodeError, TypeError, UnicodeDecodeError) as error:
         raise LoadIntotoAttestationError(
             "Cannot deserialize the file content as JSON.",
         ) from error
 
+
+def decode_provenance(provenance: dict) -> dict[str, JsonType]:
+    """Find and decode the provenance payload.
+
+    Parameters
+    ----------
+    provenance: dict
+        The contents of the provenance from which the payload will be decoded.
+
+    Returns
+    -------
+    The decoded payload.
+
+    Raises
+    ------
+    LoadIntotoAttestationError
+        If the payload could not be decoded.
+    """
     # The GitHub Attestation stores the DSSE envelope in `dsseEnvelope` property.
     dsse_envelope = provenance.get("dsseEnvelope", None)
     if dsse_envelope:

tests/integration/cases/github_pypi_attestation/policy.dl

@@ -7,4 +7,4 @@ Policy("test_policy", component_id, "") :-
     check_passed(component_id, "mcn_provenance_available_1").
 
 apply_policy_to("test_policy", component_id) :-
-    is_component(component_id, "pkg:pypi/toga@0.5.0").
+    is_component(component_id, "pkg:pypi/toga@0.4.8").