chore: fixes

Signed-off-by: Nathan Nguyen <[email protected]>

Author: nathanwn

src/macaron/artifact/maven.py

@@ -77,6 +77,11 @@ def package_url(self) -> PackageURL:
     def from_package_url(cls, package_url: PackageURL) -> Self | None:
         """Create a Maven artifact from a PackageURL.
 
+        Parameters
+        ----------
+        package_url : PackageURL
+            The PackageURL identifying a Maven artifact.
+
         Returns
         -------
         Self | None
@@ -111,7 +116,18 @@ def from_artifact_name(
         group_id: str,
         version: str,
     ) -> Self | None:
-        """Create a Maven artifact from a PackageURL.
+        """Create a Maven artifact given an artifact name.
+
+        The artifact type is determined based on the naming pattern of the artifact.
+
+        Parameters
+        ----------
+        artifact_name : str
+            The artifact name.
+        group_id : str
+            The group id.
+        version : str
+            The version
 
         Returns
         -------
@@ -159,8 +175,8 @@ def get_subject_in_provenance_matching_purl(
 
         Returns
         -------
-        InTotoV01Subject
-            The PackageURL identifying the matching subject.
+        InTotoV01Subject | InTotoV1ResourceDescriptor | None
+            The subject in the provenance matching the given PURL.
         """
         if (maven_artifact := MavenArtifact.from_package_url(purl)) and is_witness_provenance_payload(
             payload=provenance_payload,

src/macaron/database/table_definitions.py

@@ -584,8 +584,8 @@ def from_purl_and_provenance(
         Returns
         -------
         Self | None
-            A ``ProvenanceSubject`` entry with the SHA256 of the provenance subject matching the
-            given PURL.
+            A ``ProvenanceSubject`` entry with the SHA256 digest of the provenance subject
+            matching the given PURL.
         """
         subject_artifact_types: list[ProvenanceSubjectPURLMatcher] = [MavenSubjectPURLMatcher]
 

src/macaron/slsa_analyzer/analyzer.py

@@ -565,7 +565,7 @@ def add_component(
             purl = analysis_target.parsed_purl
 
         component = Component(
-            purl=purl.to_string(),
+            purl=str(purl),
             analysis=analysis,
             repository=repository,
         )

src/macaron/slsa_analyzer/checks/provenance_l3_content_check.py

@@ -58,10 +58,15 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
             logger.info("%s check was unable to find any expectations.", self.check_info.check_id)
             return CheckResultData(result_tables=[], result_type=CheckResultType.UNKNOWN)
 
-        if ctx.dynamic_data["provenance"] and expectation.validate(ctx.dynamic_data["provenance"]):
+        if ctx.dynamic_data["provenance"]:
+            if expectation.validate(ctx.dynamic_data["provenance"]):
+                return CheckResultData(
+                    result_tables=[expectation],
+                    result_type=CheckResultType.PASSED,
+                )
             return CheckResultData(
                 result_tables=[expectation],
-                result_type=CheckResultType.PASSED,
+                result_type=CheckResultType.FAILED,
             )
 
         package_registry_info_entries = ctx.dynamic_data["package_registries"]

src/macaron/slsa_analyzer/provenance/intoto/__init__.py

@@ -138,4 +138,16 @@ def get_subject_in_provenance_matching_purl(
         This function assumes there is only one such subject. If there are multiple
         such subjects, the first matching subject is returned. However, this should not
         happen since the PackageURL should be specific enough to identify a single subject.
+
+        Parameters
+        ----------
+        provenance_payload : InTotoPayload
+            The provenance payload.
+        purl : PackageURL
+            The PackageURL identifying the matching subject.
+
+        Returns
+        -------
+        InTotoV01Subject | InTotoV1ResourceDescriptor | None
+            The subject in the provenance matching the given PURL.
         """

src/macaron/vsa/vsa.py

@@ -179,7 +179,7 @@ def get_common_purl_from_artifact_purls(purl_strs: Iterable[str]) -> str | None:
 def create_vsa_statement(
     passed_components: dict[str, int],
     policy_content: str,
-) -> VsaStatement:
+) -> VsaStatement | None:
     """Construct the Statement layer of the VSA.
 
     Parameters
@@ -202,28 +202,40 @@ def create_vsa_statement(
     try:
         with Session(get_db_manager().engine) as session, session.begin():
             for purl, component_id in passed_components.items():
-                query = sqlalchemy.select(ProvenanceSubject).where(ProvenanceSubject.component_id == component_id)
                 try:
-                    provenance_subject = session.execute(query).scalars().one()
+                    provenance_subject = (
+                        session.execute(
+                            sqlalchemy.select(ProvenanceSubject).where(ProvenanceSubject.component_id == component_id)
+                        )
+                        .scalars()
+                        .one()
+                    )
                     sha256 = provenance_subject.sha256
-                    subject: dict[str, JsonType] = {
-                        "uri": purl,
-                    }
-                    if sha256:
-                        subject["digest"] = {
-                            "sha256": sha256,
-                        }
-                    subjects.append(subject)
-                except (sqlalchemy.orm.exc.NoResultFound, sqlalchemy.orm.exc.MultipleResultsFound) as e:
-                    logger.error(
+                except sqlalchemy.orm.exc.NoResultFound:
+                    sha256 = None
+                    logger.debug("No digest stored for software component '%s'.", purl)
+                except sqlalchemy.orm.exc.MultipleResultsFound as e:
+                    logger.debug(
                         "Unexpected database query result. "
-                        "Expected exactly one result when retrieving SHA256 of a provenance subject. "
+                        "Expected no more than one result when retrieving SHA256 of a provenance subject. "
                         "Error: %s",
                         e,
                     )
+                    continue
+
+                subject: dict[str, JsonType] = {
+                    "uri": purl,
+                }
+                if sha256:
+                    subject["digest"] = {
+                        "sha256": sha256,
+                    }
+
+                subjects.append(subject)
 
     except sqlalchemy.exc.SQLAlchemyError as error:
-        logger.critical("Database error %s", error)
+        logger.debug("Cannot retrieve hash digest of software components: %s.", error)
+        return None
 
     return VsaStatement(
         _type="https://in-toto.io/Statement/v1",

tests/artifact/test_maven.py

@@ -26,7 +26,7 @@
         pytest.param(
             "pkg:maven/com.fasterxml.jackson/[email protected]?type=sources",
             2,
-            id="purl for java sources artifact",
+            id="purl for java source artifact",
         ),
         pytest.param(
             "pkg:maven/com.fasterxml.jackson/[email protected]?type=pom",
@@ -119,7 +119,7 @@ def test_to_maven_artifact_subject(
                 version="2.9.9",
                 artifact_type=MavenArtifactType.JAVA_SOURCE,
             ),
-            id="purl for java sources artifact",
+            id="purl for java source artifact",
         ),
         pytest.param(
             "pkg:maven/com.fasterxml.jackson/[email protected]?type=pom",