From 55f7ef8cbed91189a3d3bfacadb0816b3a6382f3 Mon Sep 17 00:00:00 2001 From: behnazh-w Date: Fri, 3 Nov 2023 08:42:52 +1000 Subject: [PATCH 1/2] docs: add the new build tools and adjust supported technologies Signed-off-by: behnazh-w --- README.md | 2 +- .../pages/supported_technologies/index.rst | 54 +++++++++++++++---- 2 files changed, 44 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 93138b104..33604d02f 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Macaron is a supply chain security analysis tool from [Oracle Labs](https://labs.oracle.com/pls/apex/r/labs/labs/intro), which focuses on the build integrity of an artifact and the artifact dependencies. It is based on the [Supply chain Levels for Software Artifacts (SLSA)](https://slsa.dev/) specification, which aims at preventing some of the software supply chain attacks as the systems get more complex, especially with respect to the use of open-source third-party code in applications. Attacks include stealing credentials, injecting malicious code etc., and it is critical to have security assurance on the third-party code to guarantee that the integrity of the code has not been compromised. -Macaron uses [SLSA requirements specifications v0.1](https://slsa.dev/spec/v0.1/requirements) to define concrete rules for protecting software integrity that can be checked for compliance requirements automatically. Macaron provides a customizable checker platform that makes it easy to define checks that depend on each other. This is particularly useful for implementing checks for SLSA levels. In addition, Macaron also checks a user-specified policy for the repository to detect unexpected behavior in the build process. Macaron is a work-in-progress project and currently supports Maven and Gradle Java build systems. Support has also been added for Python projects that use Pip or Poetry as their package managers, minus dependency analysis. We plan to support build systems for other languages in future. +Macaron uses [SLSA requirements specifications v0.1](https://slsa.dev/spec/v0.1/requirements) to define concrete rules for protecting software integrity that can be checked for compliance requirements automatically. Macaron provides a customizable checker platform that makes it easy to define checks that depend on each other. This is particularly useful for implementing checks for SLSA levels. In addition, Macaron also checks a user-specified policy for a software component to detect unexpected behavior in the build process. Macaron is a work-in-progress project and currently supports Maven and Gradle Java build systems, Pip or Poetry package managers for Python, npm and Yarn for JavaScript, Go, and Docker container. We plan to support more build systems in future. ## Table of Contents diff --git a/docs/source/pages/supported_technologies/index.rst b/docs/source/pages/supported_technologies/index.rst index fd263bd0a..4eadf2783 100644 --- a/docs/source/pages/supported_technologies/index.rst +++ b/docs/source/pages/supported_technologies/index.rst @@ -5,27 +5,55 @@ Supported Technologies ====================== +----------- +Build Tools +----------- + +Macaron is able to detect the build and deployment scripts for the following build tools and package managers while analyzing the CI configurations, +such as GitHub Actions workflows. + +* Maven +* Gradle +* Pip +* Poetry +* npm +* Yarn +* Go +* Docker container + + ------------ Git Services ------------ -.. list-table:: - :header-rows: 1 +Currently, we support the following Git services for version control. If you need support for any other Git services, feel free to open a GitHub issue. - * - Git Service - * - `GitHub `_ - * - `GitLab `_ +* `GitHub `_ +* `GitLab `_ ------------ CI Services ------------ +Currently, we support the following Continuous Integration (CI) services for automatically building and deploying artifacts. If you need support for any other CI services, feel free to open a GitHub issue. + .. list-table:: :header-rows: 1 * - CI Service + - Support * - `GitHub Actions `_ - + - + * Detecting deployment steps by building a call graph for workflows and reachable shell scripts + * Support for various GitHub APIs, such as Releases + * - `GitLab `_ + - Partial support for detecting deployment steps + * - `Jenkins `_ + - Partial support for detecting deployment steps + * - `Travis CI `_ + - Partial support for detecting deployment steps + * - `CircleCI `_ + - Partial support for detecting deployment steps ------------------ Package Registries @@ -39,10 +67,10 @@ Package Registries - Support - Documentation * - `JFrog Artifactory `_ - - Only projects built with Gradle and publishing to a JFrog Artifactory repo following `Maven layout `_ + - Projects built with Gradle and published to a JFrog Artifactory repo following `Maven layout `_ - :doc:`page ` * - `Maven Central Artifactory `_ - - Only projects built with Gradle or Maven and published to the Maven Central Artifactory. + - Projects built with Gradle or Maven and published to the Maven Central Artifactory. - :doc:`page ` ----------- @@ -57,11 +85,15 @@ Provenances - Support - Documentation * - `SLSA `_ - - Only provenances under `SLSA version 0.2 `_. + - + * `SLSA provenance version 0.2 `_. + * The provenance should be published as a GitHub release asset - :doc:`page ` * - `Witness `_ - - * Only provenances under Witness version 0.1 - * Only projects built with Gradle on GitLab CI provenances and publishing provenances to JFrog Artifactory + - + * Witness provenance version 0.1 + * Projects built with Gradle on GitLab CI + * The provenance should be published on JFrog Artifactory - :doc:`page ` -------- From 4afc607a121890332d21ab39dac01fca39e2d24f Mon Sep 17 00:00:00 2001 From: behnazh-w Date: Fri, 3 Nov 2023 09:12:03 +1000 Subject: [PATCH 2/2] docs: add bullet points and references to technologies in README.md --- README.md | 10 +++++++++- docs/source/pages/supported_technologies/index.rst | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 33604d02f..5f13fa69c 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,15 @@ Macaron is a supply chain security analysis tool from [Oracle Labs](https://labs.oracle.com/pls/apex/r/labs/labs/intro), which focuses on the build integrity of an artifact and the artifact dependencies. It is based on the [Supply chain Levels for Software Artifacts (SLSA)](https://slsa.dev/) specification, which aims at preventing some of the software supply chain attacks as the systems get more complex, especially with respect to the use of open-source third-party code in applications. Attacks include stealing credentials, injecting malicious code etc., and it is critical to have security assurance on the third-party code to guarantee that the integrity of the code has not been compromised. -Macaron uses [SLSA requirements specifications v0.1](https://slsa.dev/spec/v0.1/requirements) to define concrete rules for protecting software integrity that can be checked for compliance requirements automatically. Macaron provides a customizable checker platform that makes it easy to define checks that depend on each other. This is particularly useful for implementing checks for SLSA levels. In addition, Macaron also checks a user-specified policy for a software component to detect unexpected behavior in the build process. Macaron is a work-in-progress project and currently supports Maven and Gradle Java build systems, Pip or Poetry package managers for Python, npm and Yarn for JavaScript, Go, and Docker container. We plan to support more build systems in future. +Macaron uses [SLSA requirements specifications v0.1](https://slsa.dev/spec/v0.1/requirements) to define concrete rules for protecting software integrity that can be checked for compliance requirements automatically. Macaron provides a customizable checker platform that makes it easy to define checks that depend on each other. This is particularly useful for implementing checks for SLSA levels. In addition, Macaron also checks a user-specified policy for a software component to detect unexpected behavior in the build process. We currently support the following build tools: + +* Maven and Gradle Java build systems +* Pip or Poetry package managers for Python +* npm and Yarn for JavaScript +* Go +* Docker + +To see the full list of supported technologies, such as CI services, registries, and provenance types see [this page](https://oracle.github.io/macaron/pages/supported_technologies/index.html). Macaron is a work-in-progress project. We plan to support more build systems and technologies in the future. ## Table of Contents diff --git a/docs/source/pages/supported_technologies/index.rst b/docs/source/pages/supported_technologies/index.rst index 4eadf2783..8f207c26d 100644 --- a/docs/source/pages/supported_technologies/index.rst +++ b/docs/source/pages/supported_technologies/index.rst @@ -19,7 +19,7 @@ such as GitHub Actions workflows. * npm * Yarn * Go -* Docker container +* Docker ------------