feat: add a script to check VSA

Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>

Author: behnazh-w

docs/source/pages/tutorials/generate_verification_summary_attestation.rst

@@ -1,6 +1,8 @@
 .. Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
 .. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
+.. _gen-vsa_tutorial:
+
 =========================================
 Generate Verification Summary Attestation
 =========================================

docs/source/pages/tutorials/index.rst

@@ -22,4 +22,5 @@ For the full list of supported technologies, such as CI services, registries, an
    npm_provenance
    detect_malicious_java_dep
    generate_verification_summary_attestation
+   use_verification_summary_attestation
    exclude_include_checks

docs/source/pages/tutorials/use_verification_summary_attestation.rst

@@ -0,0 +1,159 @@
+.. Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+============================================
+How to use Verification Summary Attestations
+============================================
+
+This tutorial explains how to use the Verification Summary Attestations (VSA) generated by Macaron, using the VSAs for the `Graal Development Kit (GDK) <https://graal.cloud/gdk/>`_ artifacts as an example.
+
+For more information about VSAs, please refer to the :ref:`Verification Summary Attestation page<vsa>`. To use Macaron to generate VSAs see this :ref:`tutorial <gen-vsa_tutorial>`.
+
+* https://slsa.dev/spec/v1.0/verification_summary
+
+--------
+Use case
+--------
+
+Imagine you are a consumer of GDK artifacts and want to verify whether they are produced by a secure, :term:`SLSA`-compliant build service and sourced from a trusted source code repository. You need to confirm whether a provenance record for this artifact is published and has been verified. The GDK team must keep the details of their build pipeline confidential while still communicating that verification has occurred.
+
+A VSA allows you to assess the security properties of an artifact without needing direct access to the provenance details. This process involves delegating the policy decision to Macaron. Macaron receives the provenance of the build as input, analyzes various aspects of the build, and verifies the gathered data against a Datalog policy. It then generates a VSA that attests to the artifacts produced by the build, which is published alongside the artifacts.
+
+-------
+Example
+-------
+
+GDK is an Oracle build of the open source Micronaut® framework. GDK provides a curated set of Micronaut framework modules which are built from source and published on the `Oracle Maven repository <https://maven.oracle.com/public>`_. If a GDK artifact is verified by Macaron, you should be able to to find a corresponding VSA on Oracle Maven repository. Let's consider, the ``io.micronaut/micronaut-core@4.6.3-oracle-00001`` JAR artifact which is published at `<https://maven.oracle.com/public/io/micronaut/micronaut-core/4.6.3-oracle-00001/micronaut-core-4.6.3-oracle-00001.jar>`_. In order to verify the artifact with Macaron, you can follow the following steps:
+
+''''''''''''''''
+Download the VSA
+''''''''''''''''
+
+Check wether a VSA is published for the artifact and download it for further examination.
+
+.. code-block:: shell
+
+  curl -O https://maven.oracle.com/public/io/micronaut/micronaut-core/4.6.3-oracle-00001/vsa.intoto.jsonl
+
+''''''''''''''''''''''''''''''''''''
+Manual inspection of the VSA content
+''''''''''''''''''''''''''''''''''''
+
+.. code-block:: shell
+
+    cat vsa.intoto.jsonl | jq -r '.payload' | base64 -d | jq
+
+The output of the this command should look like below:
+
+.. toggle::
+
+    .. code-block:: json
+
+        {
+            "_type": "https://in-toto.io/Statement/v1",
+            "subject": [
+            {
+                "uri": "pkg:maven/io.micronaut/micronaut-core@4.6.3-oracle-00001?type=jar",
+                "digest": {
+                "sha256": "67ccb8e1a69da33ac7494b90d296db4ed3b2cdf3ccd267432dd2b7fac9b9bb12"
+                }
+            },
+            {
+                "uri": "pkg:maven/io.micronaut/micronaut-core@4.6.3-oracle-00001?type=pom",
+                "digest": {
+                "sha256": "c24499cbd1bc2aef1fbd961c6502304d183c43eba61f377ec1ddc89de6837f97"
+                }
+            },
+            {
+                "uri": "pkg:maven/io.micronaut/micronaut-core@4.6.3-oracle-00001?type=javadoc",
+                "digest": {
+                "sha256": "ed073facae8bf19d3e666e7f473ef01189784c974ebc2d017f157443ba09b33a"
+                }
+            },
+            {
+                "uri": "pkg:maven/io.micronaut/micronaut-core@4.6.3-oracle-00001?type=java-source",
+                "digest": {
+                "sha256": "3eee2a4434044702df9b1ab22a48322dc42707cda1558ab61d4a8760b96fd645"
+                }
+            }
+            ],
+            "predicateType": "https://slsa.dev/verification_summary/v1",
+            "predicate": {
+            "verifier": {
+                "id": "https://github.com/oracle/macaron",
+                "version": {
+                "macaron": "0.10.0"
+                }
+            },
+            "timeVerified": "2024-08-25T06:36:24.654718+00:00",
+            "resourceUri": "pkg:maven/io.micronaut/micronaut-core@4.6.3-oracle-00001",
+            "policy": {
+                "content": "#include \"prelude.dl\"\n\nPolicy(\"gdk_provenance_policy\", component_id, \"Policy for GDK builds\") :-\n    check_passed(component_id, \"mcn_provenance_expectation_1\").\n\napply_policy_to(\"gdk_provenance_policy\", component_id) :-\n    is_component(component_id, purl),\n    match(\"^pkg:maven/io.micronaut/micronaut-core@.*$\", purl)."
+            },
+            "verificationResult": "PASSED",
+            "verifiedLevels": []
+            }
+        }
+
+
+
+The VSA adheres to the `schema <https://slsa.dev/spec/v1.0/verification_summary>`_ provided by SLSA. However, rather than specifying a URI for the policy, it includes the policy directly within the VSA under the ``predicate.policy.content`` field. Below is a pretty-printed format of the policy as it appears in the VSA.
+
+.. toggle::
+
+    .. code-block:: prolog
+
+        #include "prelude.dl"
+
+        Policy("gdk_provenance_policy", component_id, "Policy for GDK builds") :-
+            check_passed(component_id, "mcn_provenance_expectation_1")
+
+        apply_policy_to("has-hosted-build", component_id) :-
+            is_component(component_id, purl),
+            match("^pkg:maven/io.micronaut/micronaut-core@.*$", purl).
+
+This policy makes sure the :ref:`mcn_provenance_expectation_1 <checks>` check, which verifies the content of the provenance file matches :ref:`CUE expectation <pages/using:Verifying provenance expectations in CUE language>`. You can find the template policy files for GDK builds below:
+
+* `Template CUE expectation <https://github.com/oracle/macaron/tree/main/src/macaron/resources/policies/gdk/expectation.cue.template>`_
+* `Template Datalog policy file <https://github.com/oracle/macaron/tree/main/src/macaron/resources/policies/gdk/policy.dl.template>`_
+
+The VSA also includes the list of subjects and their corresponding checksums that have been verified, the version of Macaron used, the timestamp of the verification, and the result of the verification.
+
+'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+Automatically check the artifact checksum and verification result
+'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+To verify that the artifact checksum matches the subject listed in the VSA and that the verification process has passed, follow these steps:
+
+
+**Download the check_vsa.sh script:**
+
+.. code-block:: shell
+
+    curl -O https://raw.githubusercontent.com/oracle/macaron/main/scripts/release_scripts/check_vsa.sh
+
+**Make the script executable:**
+
+.. code-block:: shell
+
+    chmod +x check_vsa.sh
+
+**Run the script with the appropriate arguments:**
+
+.. code-block:: shell
+
+    ./check_vsa.sh --artifact-path micronaut-core-4.6.3-oracle-00001.jar --vsa-path vsa.intoto.jsonl --purl "pkg:maven/io.micronaut/micronaut-core@4.6.3-oracle-00001?type=jar"
+
+The artifact and VSA paths should be valid paths on your filesystem. Ensure you replace ``micronaut-core-4.6.3-oracle-00001.jar``, ``vsa.intoto.jsonl``, and ``pkg:maven/io.micronaut/micronaut-core@4.6.3-oracle-00001?type=jar`` with your actual file paths and package URL.
+
+**Verify the output:**
+
+If the verification is successful, the script will print:
+
+.. code-block:: shell
+
+    The subject checksum matches the expected value.
+    The VSA has been verified by Macaron.
+    The verification has passed.
+
+If there is an issue, the script will return an error code ``1`` and print an appropriate error message.

scripts/release_scripts/check_vsa.sh

@@ -0,0 +1,147 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# This script checks the Verification Summary Attestation generated by Macaron.
+
+# Strict bash options.
+#
+# -e:          exit immediately if a command fails (with non-zero return code),
+#              or if a function returns non-zero.
+#
+# -u:          treat unset variables and parameters as error when performing
+#              parameter expansion.
+#              In case a variable ${VAR} is unset but we still need to expand,
+#              use the syntax ${VAR:-} to expand it to an empty string.
+#
+# -o pipefail: set the return value of a pipeline to the value of the last
+#              (rightmost) command to exit with a non-zero status, or zero
+#              if all commands in the pipeline exit successfully.
+#
+# Reference: https://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html.
+set -euo pipefail
+
+# Log error (to stderr).
+log_err() {
+    echo "[ERROR]: $*" >&2
+}
+
+# Print usage message.
+print_help() {
+    cat << EOF
+Usage: $(basename "$0") [OPTIONS]
+
+This script checks the Verification Summary Attestation (VSA) generated by Macaron.
+
+Options:
+  --artifact-path PATH   Path to the artifact file.
+  --vsa-path PATH        Path to the Verification Summary Attestation (VSA) file.
+  --purl URL             Package URL to match against the VSA.
+  --help, -h             Display this help message and exit.
+
+Examples:
+  $(basename "$0") --artifact-path /path/to/artifact --vsa-path /path/to/vsa --purl "package-url"
+
+EOF
+}
+
+# Assert that a file exists.
+#
+# Arguments:
+#   $1: The path to the file.
+#   $2: The argument from which the file is passed into this script.
+#
+# With the `set -e` option turned on, this function exits the script with
+# return code 1 if the file does not exist.
+function assert_file_exists() {
+    if [[ ! -f "$1" ]]; then
+        log_err "File $1 does not exist."
+        return 1
+    fi
+}
+
+# Parse main arguments.
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --artifact-path)
+            arg_artifact_path="$2"
+            shift
+            ;;
+        --vsa-path)
+            arg_vsa_path="$2"
+            shift
+            ;;
+        --purl)
+            purl="$2"
+            shift
+            ;;
+        -h | --help)
+            print_help
+            exit 0
+            ;;
+        *)
+            log_err "Unknown option: $1"
+            print_help
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+
+# Check the artifact path and compute the checksum of the artifact.
+if [[ -n "${arg_artifact_path:-}" ]]; then
+    assert_file_exists "$arg_artifact_path"
+    artifact_checksum=$(shasum -a 256  "$arg_artifact_path" | awk '{print $1}')
+else
+    log_err "Please provide the artifact path."
+    print_help
+    exit 1
+fi
+
+# Check the VSA path.
+if [[ -n "${arg_vsa_path:-}" ]]; then
+    assert_file_exists "$arg_vsa_path"
+else
+    log_err "Please provide the VSA path."
+    print_help
+    exit 1
+fi
+
+# Check the purl and obtain the matching subject.
+if [[ -n "${purl:-}" ]]; then
+    subject_digest=$(cat "$arg_vsa_path" | jq -r ".payload" | base64 -d | jq -r ".subject[] | select(.uri == \"$purl\") | .digest.sha256")
+else
+    log_err "Please provide the package URL."
+    print_help
+    exit 1
+fi
+
+verify_result=$(cat "$arg_vsa_path" | jq -r ".payload" | base64 -d | jq -r ".predicate.verificationResult")
+verifier=$(cat "$arg_vsa_path" | jq -r ".payload" | base64 -d | jq -r ".predicate.verifier.id")
+
+
+# Check if the subject and artifact digests match.
+if [ "$subject_digest" = "$artifact_checksum" ]; then
+    echo "The subject checksum matches the expected value."
+else
+    echo "The subject checksum \"$subject_digest\" does not match the expected value \"$artifact_checksum\"."
+    exit 1
+fi
+
+# Check if verifier is Macaron.
+if [ "$verifier" = "https://github.com/oracle/macaron" ]; then
+    echo "The VSA has been verified by Macaron."
+else
+    echo "The VSA has not been verified by Macaron."
+    exit 1
+fi
+
+# Check whether the verification has passed.
+if [ "$verify_result" = "PASSED" ]; then
+    echo "The verification has passed."
+else
+    echo "The verification has failed."
+    exit 1
+fi

src/macaron/resources/policies/gdk/expectation.cue.template

@@ -0,0 +1,18 @@
+{
+    target: "<EXPECTATION_PURL>",
+    predicate: {
+        attestations: [
+            {
+                attestation: {
+                    jobimage: =~"<IMAGE>:.*",
+                    projecturl: "https://<REPO_URL>",
+                },
+            },
+            _,
+            _,
+            _,
+            _,
+            _
+        ]
+    }
+}

src/macaron/resources/policies/gdk/policy.dl.template

@@ -0,0 +1,8 @@
+#include "prelude.dl"
+
+Policy("gdk_provenance_policy", component_id, "Policy for GDK builds") :-
+    check_passed(component_id, "mcn_provenance_expectation_1").
+
+apply_policy_to("gcn_provenance_policy", component_id) :-
+    is_component(component_id, purl),
+    match("^<PACKAGE_PURL>@.*$", purl).