oracle · behnazh-w · Apr 8, 2025 · Mar 11, 2025 · Mar 11, 2025 · Mar 12, 2025
@@ -0,0 +1,60 @@
+---
+name: Bug Report
+about: Report a bug or unexpected behavior in Macaron.
+title: "[Bug] - [Describe Issue]"
+labels: bug, triage
+assignees: ''
+---
+
+### Description
+Please provide a clear and concise description of the issue you're experiencing with Macaron. Be as detailed as possible about the problem.
+
+### Steps to Reproduce
+Please list the steps required to reproduce the issue:
+
+1. **Step 1**: [Describe the first step]
+2. **Step 2**: [Describe the second step]
+3. **Step 3**: [Describe the third step]
+4. [Continue adding steps if necessary]
+
+### Expected Behavior
+What were you expecting to happen?
+
+### Actual Behavior
+What actually happened? Please include any error messages, logs, or unexpected behavior you observed.
+
+### Debug Information
+Please run the command again with the `--verbose` [option](https://oracle.github.io/macaron/pages/cli_usage/index.html#cmdoption-v) to provide debug information. This will help us diagnose the issue more effectively. You can add this option to the command like this:
+
+```shell
+./run_macaron.sh --verbose [other options]
+```
+
+Attach the debug output here if possible.
+
+### Environment Information
+To assist with troubleshooting, please provide the following information about your environment:
+
+Operating System: (e.g., Ubuntu 20.04, macOS 11.2)
+
+CPU architecture information (e.g., x86-64 (AMD64))
+
+Bash Version: (Run bash --version to get the version)
+
+Docker or Podman Version: (Run docker --version to get the version)
+
+If you are using Macaron as a Python package, please indicate that in your environment details and specify the Python version you are using.
+
+Macaron version or commit hash where the issue occurs.
+
+Additional Information: (Any other relevant details, such as hardware or network environment, such as proxies)
+
+### Screenshots or Logs
+If applicable, please provide screenshots or logs that illustrate the bug.
+
+### Additional Information
+Any other information that might be useful to identify or fix the bug. For example:
+
+Any steps that worked around the issue
+
+Specific configurations or files that may be relevant
@@ -0,0 +1,11 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+blank_issues_enabled: false
+contact_links:
+- name: GitHub Discussions
+  url: https://github.com/oracle/macaron/discussions
+  about: Please ask and answer questions here.
+- name: Security Reports
+  url: https://github.com/oracle/macaron/blob/main/SECURITY.md
+  about: Please report security vulnerabilities following the instructions.
@@ -0,0 +1,16 @@
+---
+name: Feature Request
+about: Suggest a new feature or enhancement for Macaron.
+title: "[Feature Request] - [Describe Feature]"
+labels: enhancement, feature
+assignees: ''
+
+---
+
+### Description
+Please provide a clear and concise description of the feature or enhancement you'd like to see in Macaron. Explain why it would be useful and how it could improve the tool.
+
+### Proposed Feature
+What functionality or feature would you like to add to Macaron? Please describe it in detail.
+
+### Use Case
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # This configuration file enables Dependabot version updates.
@@ -16,7 +16,7 @@ updates:
     prefix-development: chore
     include: scope
   open-pull-requests-limit: 13
-  target-branch: staging
+  target-branch: main
   # Add additional reviewers for PRs opened by Dependabot. For more information, see:
   # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
   # reviewers:
@@ -31,7 +31,7 @@ updates:
     prefix-development: chore
     include: scope
   open-pull-requests-limit: 13
-  target-branch: staging
+  target-branch: main
   # Add additional reviewers for PRs opened by Dependabot. For more information, see:
   # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
   # reviewers:
@@ -46,7 +46,7 @@ updates:
     prefix-development: chore
     include: scope
   open-pull-requests-limit: 13
-  target-branch: staging
+  target-branch: main
   # Add additional reviewers for PRs opened by Dependabot. For more information, see:
   # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
   # reviewers:

@@ -0,0 +1,12 @@
+## Checklist
+<!-- Go over following points. check them with an `x` if they do apply, (they turn into clickable checkboxes once the PR is submitted, so no need to do everything at once)
+
+-->
+
+- [ ] I have reviewed the [contribution guide](../CONTRIBUTING.md).
+- [ ] My PR title and commits follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) convention.
+- [ ] My commits include the "Signed-off-by" line.
+- [ ] I have signed my commits following the instructions provided by [GitHub](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits). Note that we run [GitHub's commit verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) tool to check the commit signatures. A green `verified` label should appear next to **all** of your commits on GitHub.
+- [ ] I have updated the relevant documentation, if applicable.
+- [ ] I have tested my changes and verified they work as expected.
+- [ ] I have referenced the issue(s) this pull request solves.
@@ -1,7 +1,7 @@
-# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
-# Automatically rebase one staging branch on top of main after a new package version was published.
+# Automatically rebase main branch on top of release after a new package version is published.
 
 name: Rebase branch
 on:

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # Run CodeQL over the package. For more configuration options see codeql/codeql-config.yaml
@@ -9,11 +9,11 @@ on:
   push:
     branches:
     - main
-    - staging
+    - release
   pull_request:
     branches:
     - main
-    - staging
+    - release
   schedule:
   - cron: 20 15 * * 3
 permissions:

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # We run checks on pushing to the specified branches.
@@ -9,7 +9,7 @@ on:
   push:
     branches:
     - main
-    - staging
+    - release
 permissions:
   contents: read
 env:
@@ -28,11 +28,11 @@ jobs:
       contents: read
       packages: read
 
-  # On pushes to the 'main' branch create a new release by bumping the version
+  # On pushes to the 'release' branch create a new release by bumping the version
   # and generating a change log. That's the new bump commit and associated tag.
   bump:
     needs: check
-    if: github.ref == 'refs/heads/main'
+    if: github.ref == 'refs/heads/release'
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -72,26 +72,26 @@ jobs:
         git push
         git push --tags
 
-  # After the bump commit was pushed to the main branch, rebase the staging branch
-  # (to_head argument) on top of the new main branch (from_base argument), to keep
+  # After the bump commit was pushed to the release branch, rebase the main branch
+  # (to_head argument) on top of the release branch (from_base argument), to keep
   # the histories of both branches in sync.
-  rebase_staging:
+  rebase_main:
     needs: [bump]
-    name: Rebase staging branch on main
+    name: Rebase main branch on release
     uses: ./.github/workflows/_generate-rebase.yaml
     permissions:
       contents: read
     with:
-      to_head: staging
-      from_base: origin/main
+      to_head: main
+      from_base: origin/release
       git_user_name: behnazh-w
       git_user_email: [email protected]
     secrets:
       REPO_ACCESS_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
 
   # When triggered by the version bump commit, build the package and publish the release artifacts.
   build:
-    if: github.ref == 'refs/heads/main' && startsWith(github.event.commits[0].message, 'bump:')
+    if: github.ref == 'refs/heads/release' && startsWith(github.event.commits[0].message, 'bump:')
     uses: ./.github/workflows/_build.yaml
     permissions:
       contents: read

@@ -176,6 +176,7 @@ tests/slsa_analyzer/build_tool/mock_repos/gradle_repos/no_gradle/
 tests/slsa_analyzer/build_tool/mock_repos/maven_repos/no_pom/
 tests/slsa_analyzer/checks/mock_repos/**
 tests/slsa_analyzer/ci_service/mock_repos/**
+tests/repo_finder/mock_repos/**
 docs/_build
 bin/
 requirements.txt

@@ -35,13 +35,13 @@ See our [Macaron Style Guide](./docs/source/pages/developers_guide/style_guide.r
 
 1. Ensure there is an issue created to track and discuss the fix or enhancement
    you intend to submit.
-2. Fork this repository including the `staging` branch. In Macaron, the `staging` branch is the active development branch and contains the most recent changes.
-3. Create a branch in your fork to implement the changes.  Make sure to create your branch from the `staging` branch and not `main`. We recommend using the issue number as part of your branch name, e.g. `1234-fixes`.
+2. Fork this repository.
+3. Create a branch in your fork to implement the changes. We recommend using the issue number as part of your branch name, e.g. `1234-fixes`.
 4. The title of the PR should follow the convention of [commit messages](#commit-messages).
 5. Ensure that any documentation is updated with the changes that are required by your change.
 6. Ensure that any samples are updated if the base image has been changed.
 7. Submit the pull request. *Do not leave the pull request blank*. Explain exactly what your changes are meant to do and provide simple steps on how to validate. your changes. Ensure that you reference the issue you created as well.
-8. Choose `staging` as the base branch for your PR.
+8. Choose `main` as the base branch for your PR.
 9. We will assign the pull request to 2-3 people for review before it is merged.
 
 ### Commit messages
@@ -74,7 +74,7 @@ a detailed commit message body is preferred. Make sure to keep the `Signed-off-b
 
 ## Branching model
 
-* The `main` branch is only used for releases and the `staging` branch is used for development. We only merge to `main` when we want to create a new release for Macaron.
+* The `main` branch should be used as the base branch for pull requests. The `release` branch is designated for releases and should only be merged into when creating a new release for Macaron.
 
 ## Setting up the development environment
 

@@ -134,36 +134,37 @@ $(PACKAGE_PATH)/resources/schemastore/NOTICE:
 		&& wget https://raw.githubusercontent.com/SchemaStore/schemastore/a1689388470d1997f2e5ebd8b430e99587b8d354/NOTICE \
 		&& cd $(REPO_PATH)
 
-# Supports OL8+, Fedora 34+, Ubuntu 20.04+, and macOS.
+# Supports OL8+, Fedora 34+, Ubuntu 22.04+ and 24.04+, and macOS.
 OS := "$(shell uname)"
 ifeq ($(OS), "Darwin")
   OS_DISTRO := "Darwin"
 else
   ifeq ($(OS), "Linux")
     OS_DISTRO := "$(shell grep '^NAME=' /etc/os-release | sed 's/^NAME=//' | sed 's/"//g')"
+    OS_MAJOR_VERSION := "$(shell grep '^VERSION=' /etc/os-release | sed -r 's/^[^0-9]+([0-9]+)\..*/\1/')"
   endif
 endif
 # If Souffle cannot be installed, we advise the user to install it manually
 # and return status code 0, which is not considered a failure.
-# Souffle depends upon the libffiX library, where X is the current version it requires. Depending on the version of Ubuntu being used, the exact library
-# may not be present. In this script, we manually download and install version 7 on the Ubuntu operating system.
 .PHONY: souffle
 souffle:
 	if ! command -v souffle; then \
 	  echo "Installing system dependency: souffle" && \
 	  case $(OS_DISTRO) in \
 	    "Oracle Linux") \
-	      sudo dnf -y install https://github.com/souffle-lang/souffle/releases/download/2.4/x86_64-oraclelinux-8-souffle-2.4-Linux.rpm;; \
+	      sudo dnf -y install https://github.com/souffle-lang/souffle/releases/download/2.5/x86_64-oraclelinux-9-souffle-2.5-Linux.rpm;; \
 	    "Fedora Linux") \
-	      sudo dnf -y install https://github.com/souffle-lang/souffle/releases/download/2.4/x86_64-fedora-34-souffle-2.4-Linux.rpm;; \
+	      sudo dnf -y install https://github.com/souffle-lang/souffle/releases/download/2.5/x86_64-fedora-41-souffle-2.5-Linux.rpm;; \
 	    "Ubuntu") \
-	      sudo wget https://souffle-lang.github.io/ppa/souffle-key.public -O /usr/share/keyrings/souffle-archive-keyring.gpg; \
-	      echo "deb [signed-by=/usr/share/keyrings/souffle-archive-keyring.gpg] https://souffle-lang.github.io/ppa/ubuntu/ stable main" | sudo tee /etc/apt/sources.list.d/souffle.list; \
-	      sudo apt update; \
-	      sudo wget http://archive.ubuntu.com/ubuntu/pool/main/libf/libffi/libffi7_3.3-4_amd64.deb; \
-		  sudo dpkg -i libffi7_3.3-4_amd64.deb; \
-	      rm libffi7_3.3-4_amd64.deb; \
-	      sudo apt install souffle;; \
+	      if [ $(OS_MAJOR_VERSION) == "24" ]; then \
+	        wget https://github.com/souffle-lang/souffle/releases/download/2.5/x86_64-ubuntu-2404-souffle-2.5-Linux.deb -O ./souffle.deb; \
+	      elif [ $(OS_MAJOR_VERSION) == "22" ]; then \
+	        wget https://github.com/souffle-lang/souffle/releases/download/2.5/x86_64-ubuntu-2204-souffle-2.5-Linux.deb -O ./souffle.deb; \
+	      else \
+	        echo "Unsupported Ubuntu major version: $(OS_MAJOR_VERSION)"; exit 0; \
+	      fi; \
+	      sudo apt install ./souffle.deb; \
+	      rm ./souffle.deb;; \
 	    "Darwin") \
 	      if command -v brew; then \
 	        brew install --HEAD souffle-lang/souffle/souffle; \

@@ -80,6 +80,11 @@ Options
 
     The path to the local .m2 directory. If this option is not used, Macaron will use the default location at $HOME/.m2
 
+.. option:: --verify-provenance
+
+    Allow the analysis to attempt to verify provenance files as part of its normal operations.
+
+
 -----------
 Environment
 -----------

@@ -0,0 +1,34 @@
+macaron.provenance package
+==========================
+
+.. automodule:: macaron.provenance
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+Submodules
+----------
+
+macaron.provenance.provenance\_extractor module
+-----------------------------------------------
+
+.. automodule:: macaron.provenance.provenance_extractor
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+macaron.provenance.provenance\_finder module
+--------------------------------------------
+
+.. automodule:: macaron.provenance.provenance_finder
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+macaron.provenance.provenance\_verifier module
+----------------------------------------------
+
+.. automodule:: macaron.provenance.provenance_verifier
+   :members:
+   :undoc-members:
+   :show-inheritance:
@@ -17,22 +17,6 @@ macaron.repo\_finder.commit\_finder module
    :undoc-members:
    :show-inheritance:
 
-macaron.repo\_finder.provenance\_extractor module
--------------------------------------------------
-
-.. automodule:: macaron.repo_finder.provenance_extractor
-   :members:
-   :undoc-members:
-   :show-inheritance:
-
-macaron.repo\_finder.provenance\_finder module
-----------------------------------------------
-
-.. automodule:: macaron.repo_finder.provenance_finder
-   :members:
-   :undoc-members:
-   :show-inheritance:
-
 macaron.repo\_finder.repo\_finder module
 ----------------------------------------
 

@@ -20,6 +20,7 @@ Subpackages
    macaron.output_reporter
    macaron.parsers
    macaron.policy_engine
+   macaron.provenance
    macaron.repo_finder
    macaron.repo_verifier
    macaron.slsa_analyzer