[Bug] - Macaron check mcn_build_as_code_1 fails for pkg:pypi/arrow@1.3.0 #1249
Description
Description
As mentioned in the Macaron tutorial documentation for Analyzing and comparing different versions of an artifact the has-hosted-build.dl policy should satisfy pkg:pypi/arrow@1.3.0 and violate pkg:pypi/arrow@0.15.0 but it seems that the policy is violated for both arrow versions.
Steps to Reproduce
- Step 1: Run Macaron analysis on arrow@1.3.0
./run_macaron.sh analyze -purl pkg:pypi/arrow@1.3.0- Step 2: Run Macaron verify policy - has-hosted-build.dl
Policy file - has-hosted-build.dl
#include "prelude.dl"
Policy("has-hosted-build", component_id, "Require a hosted build and publishing service.") :-
check_passed(component_id, "mcn_build_as_code_1").
apply_policy_to("has-hosted-build", component_id) :-
is_component(component_id, purl),
match("pkg:pypi/arrow.*", purl).
./run_macaron.sh verify-policy --database ./output/macaron.db --file ./has-hosted-build.dlExpected Behavior
According to the tutorial arrow@1.3.0 should satisfy the has-hosted-build.dl policy as the check for mcn_build_as_code_1 should pass during analysis.
Actual Behavior
When performing analysis for arrow@1.3.0 it violates the has-hosted-build.dl policy as the check for mcn_build_as_code_1 is failing during analysis. This can also be seen in the html report using:
open output/reports/pypi/arrow/arrow.htmlDebug Information
./run_macaron.sh --verbose analyze -purl pkg:pypi/arrow@1.3.0Debug Output:
❯ macaron --verbose --disable-rich-output analyze -purl pkg:pypi/arrow@1.3.0
2025-11-27 10:36:30,677 [macaron.__main__:main:735] [INFO] Setting the output directory to output
2025-11-27 10:36:30,677 [macaron.__main__:main:764] [INFO] The logs will be stored in debug.log
2025-11-27 10:36:30,678 [macaron.__main__:analyze_slsa_levels_single:94] [DEBUG] The default local Maven repo at %s does not exist. Ignore ...
2025-11-27 10:36:30,679 [macaron.slsa_analyzer.analyzer:__init__:116] [INFO] The following checks are excluded based on the user configuration: []
2025-11-27 10:36:30,679 [macaron.slsa_analyzer.analyzer:__init__:125] [INFO] The following checks will be run: ['mcn_build_as_code_1', 'mcn_build_script_1', 'mcn_build_service_1', 'mcn_build_tool_1', 'mcn_provenance_available_1', 'mcn_version_control_system_1', 'mcn_detect_malicious_metadata_1', 'mcn_provenance_expectation_1', 'mcn_githubactions_vulnerabilities_1', 'mcn_scm_authenticity_1', 'mcn_provenance_derived_commit_1', 'mcn_provenance_derived_repo_1', 'mcn_find_artifact_pipeline_1', 'mcn_provenance_witness_level_one_1', 'mcn_provenance_verified_1', 'mcn_trusted_builder_level_three_1']
2025-11-27 10:36:30,710 [macaron.provenance.provenance_finder:find_provenance:80] [DEBUG] Seeking provenance of: pkg:pypi/arrow@1.3.0
2025-11-27 10:36:30,710 [macaron.util:send_get_http:41] [DEBUG] GET - https://api.deps.dev/v3alpha/purl/pkg:pypi%2Farrow@1.3.0
2025-11-27 10:36:30,841 [macaron.repo_finder.repo_finder_deps_dev:get_attestation:206] [DEBUG] No attestations in result.
2025-11-27 10:36:30,841 [macaron.provenance.provenance_finder:_find_provenance:133] [DEBUG] No provenance found.
2025-11-27 10:36:30,841 [macaron.repo_finder.repo_finder:to_repo_path:217] [INFO] The PURL type of pkg:pypi/arrow@1.3.0 is not valid as a repository type.
2025-11-27 10:36:30,841 [macaron.repo_finder.repo_finder:find_repo:112] [DEBUG] Analyzing pkg:pypi/arrow@1.3.0 with Repo Finder: <class 'macaron.repo_finder.repo_finder_deps_dev.DepsDevRepoFinder'>
2025-11-27 10:36:30,841 [macaron.util:send_get_http_raw:166] [DEBUG] GET - https://api.deps.dev/v3alpha/purl/pkg:pypi%2Farrow@1.3.0
2025-11-27 10:36:30,963 [macaron.repo_finder.repo_finder_deps_dev:find_repo:74] [DEBUG] Found 3 urls: ['https://arrow.readthedocs.io', 'https://github.com/arrow-py/arrow/issues', 'https://github.com/arrow-py/arrow']
2025-11-27 10:36:30,963 [macaron.repo_finder.repo_finder_deps_dev:find_repo:77] [DEBUG] Found valid url: https://github.com/arrow-py/arrow
2025-11-27 10:36:30,963 [macaron.repo_finder.repo_finder:prepare_repo:458] [INFO] Preparing the repository for the analysis (path=https://github.com/arrow-py/arrow, branch=, digest=)
2025-11-27 10:36:30,964 [macaron.repo_finder.repo_finder:prepare_repo:470] [INFO] The path to repo https://github.com/arrow-py/arrow is a remote path.
2025-11-27 10:36:30,964 [macaron.repo_finder.repo_finder:prepare_repo:479] [INFO] Cloning the repository.
2025-11-27 10:36:31,584 [macaron.repo_finder.commit_finder:find_commit_from_version_and_name:247] [DEBUG] Searching for commit of artifact version using tags: arrow@1.3.0
2025-11-27 10:36:31,622 [macaron.repo_finder.commit_finder:match_tags:509] [DEBUG] Tag Sample: ['0.10.0', '0.11.0', '0.12.0', '0.12.1', '0.13.0']
2025-11-27 10:36:31,622 [macaron.repo_finder.commit_finder:find_commit_from_version_and_name:275] [DEBUG] Found tag 1.3.0 with commit 87a1a774aad0505d9da18ad1d16f6e571f262503 for artifact version arrow@1.3.0
2025-11-27 10:36:31,640 [macaron.slsa_analyzer.git_url:check_out_repo_target:216] [INFO] The HEAD commit is 87a1a774aad0505d9da18ad1d16f6e571f262503.
2025-11-27 10:36:31,651 [macaron.slsa_analyzer.analyzer:add_repository:655] [INFO] The complete name of this repository is github.com/arrow-py/arrow
2025-11-27 10:36:31,651 [macaron.slsa_analyzer.analyzer:add_repository:666] [DEBUG] The HEAD of the repo does not point to any branch: HEAD is a detached symbolic reference as it points to '87a1a774aad0505d9da18ad1d16f6e571f262503'.
2025-11-27 10:36:31,652 [macaron.slsa_analyzer.analyzer:add_repository:669] [DEBUG] Branch: None
2025-11-27 10:36:31,653 [macaron.slsa_analyzer.analyzer:add_repository:700] [INFO] Running the analysis on branch None, commit_sha 87a1a774aad0505d9da18ad1d16f6e571f262503, commit_date: 2023-09-30T15:03:06-07:00
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.analyzer:run_single:510] [INFO] =====================================
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.analyzer:run_single:511] [INFO] Analyzing pkg:pypi/arrow@1.3.0
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.analyzer:run_single:512] [INFO] With PURL: pkg:pypi/arrow@1.3.0
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.analyzer:run_single:513] [INFO] =====================================
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.analyzer:_determine_git_service:1024] [INFO] Detected git service github for github.com/arrow-py/arrow.
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.ci_service.github_actions.github_actions_ci:is_detected:98] [DEBUG] Checking config files of CI Service: github_actions
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.analyzer:_determine_ci_services:1098] [INFO] The repo uses github_actions CI service.
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.ci_service.github_actions.github_actions_ci:is_detected:98] [DEBUG] Checking config files of CI Service: github_actions
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.ci_service.github_actions.github_actions_ci:get_workflows:130] [DEBUG] Found GitHub Actions workflows.
2025-11-27 10:36:31,654 [macaron.slsa_analyzer.ci_service.github_actions.analyzer:build_call_graph_from_path:394] [DEBUG] Parsing /Users/pgovale/Documents/output/git_repos/github_com/arrow-py/arrow/.github/workflows/release.yml
2025-11-27 10:36:31,719 [macaron.slsa_analyzer.ci_service.github_actions.analyzer:build_call_graph_from_path:394] [DEBUG] Parsing /Users/pgovale/Documents/output/git_repos/github_com/arrow-py/arrow/.github/workflows/continuous_integration.yml
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:84] [DEBUG] Checking config files of CI Service: jenkins
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:88] [DEBUG] Jenkinsfile does not exist in this repository.
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:84] [DEBUG] Checking config files of CI Service: travis_ci
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:88] [DEBUG] .travis.yml does not exist in this repository.
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:88] [DEBUG] .travis.yaml does not exist in this repository.
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:84] [DEBUG] Checking config files of CI Service: circle_ci
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:88] [DEBUG] .circleci/config.yml does not exist in this repository.
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:88] [DEBUG] .circleci/config.yaml does not exist in this repository.
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:84] [DEBUG] Checking config files of CI Service: gitlab_ci
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:88] [DEBUG] .gitlab-ci.yml does not exist in this repository.
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.ci_service.base_ci_service:is_detected:88] [DEBUG] .gitlab-ci.yaml does not exist in this repository.
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1038] [DEBUG] Found poetry build tool based on the pkg:pypi/arrow@1.3.0 PackageURL.
2025-11-27 10:36:31,817 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1052] [INFO] Checking if the repo github.com/arrow-py/arrow uses build tool poetry
2025-11-27 10:36:31,820 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1038] [DEBUG] Found flit build tool based on the pkg:pypi/arrow@1.3.0 PackageURL.
2025-11-27 10:36:31,820 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1052] [INFO] Checking if the repo github.com/arrow-py/arrow uses build tool flit
2025-11-27 10:36:31,820 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1059] [INFO] The repo uses flit build tool.
2025-11-27 10:36:31,820 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1038] [DEBUG] Found hatch build tool based on the pkg:pypi/arrow@1.3.0 PackageURL.
2025-11-27 10:36:31,820 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1052] [INFO] Checking if the repo github.com/arrow-py/arrow uses build tool hatch
2025-11-27 10:36:31,822 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1038] [DEBUG] Found conda build tool based on the pkg:pypi/arrow@1.3.0 PackageURL.
2025-11-27 10:36:31,822 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1052] [INFO] Checking if the repo github.com/arrow-py/arrow uses build tool conda
2025-11-27 10:36:31,824 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1038] [DEBUG] Found pip build tool based on the pkg:pypi/arrow@1.3.0 PackageURL.
2025-11-27 10:36:31,824 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1052] [INFO] Checking if the repo github.com/arrow-py/arrow uses build tool pip
2025-11-27 10:36:31,825 [macaron.slsa_analyzer.analyzer:_determine_build_tools:1059] [INFO] The repo uses pip build tool.
2025-11-27 10:36:31,826 [macaron.util:send_get_http_raw:166] [DEBUG] GET - https://pypi.org/pypi/arrow/json
2025-11-27 10:36:31,876 [macaron.slsa_analyzer.package_registry.pypi_registry:get_sha256:906] [DEBUG] Found sha256 hash: c728b120ebc00eb84e01882a6f5e7927a53960aa990ce7dd2b10f39005a67f80
2025-11-27 10:36:31,876 [macaron.util:send_get_http:41] [DEBUG] GET - https://api.github.com/repos/arrow-py/arrow/attestations/sha256:c728b120ebc00eb84e01882a6f5e7927a53960aa990ce7dd2b10f39005a67f80
2025-11-27 10:36:33,270 [macaron.util:send_get_http:47] [DEBUG] Receiving error code 404 from server. Message: {"message":"Not Found","documentation_url":"https://docs.github.com/rest/repos/repos#list-attestations","status":"404"}.
2025-11-27 10:36:33,286 [macaron.slsa_analyzer.git_service.api_client:get_release_by_tag:552] [DEBUG] Get the release for 'arrow-py/arrow' using tag '1.3.0'.
2025-11-27 10:36:33,286 [macaron.util:send_get_http:41] [DEBUG] GET - https://api.github.com/repos/arrow-py/arrow/releases/tags/1.3.0
2025-11-27 10:36:33,700 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:33,701 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_provenance_available_1
2025-11-27 10:36:33,701 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:33,702 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_provenance_available_1 run FAILED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:33,702 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['Not Available.'])]
2025-11-27 10:36:33,702 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance - Available: set to False.
2025-11-27 10:36:33,702 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance content - Identifies build instructions: set to False.
2025-11-27 10:36:33,702 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance content - Identifies artifacts: set to False.
2025-11-27 10:36:33,702 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance content - Identifies builder: set to False.
2025-11-27 10:36:33,702 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:33,702 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_version_control_system_1
2025-11-27 10:36:33,702 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:33,703 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_version_control_system_1 run PASSED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:33,703 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, [{'git_repo': 'https://github.com/arrow-py/arrow'}])]
2025-11-27 10:36:33,703 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Version controlled: set to True.
2025-11-27 10:36:33,703 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:33,703 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_detect_malicious_metadata_1
2025-11-27 10:36:33,703 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:33,703 [macaron.util:send_get_http_raw:166] [DEBUG] GET - https://api.deps.dev/v3alpha/purl/pkg:pypi%2Farrow@1.3.0
2025-11-27 10:36:33,824 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating EmptyProjectLinkAnalyzer
2025-11-27 10:36:33,824 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating SourceCodeRepoAnalyzer
2025-11-27 10:36:33,824 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating OneReleaseAnalyzer
2025-11-27 10:36:33,824 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating HighReleaseFrequencyAnalyzer
2025-11-27 10:36:33,827 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating UnchangedReleaseAnalyzer
2025-11-27 10:36:33,827 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating CloserReleaseJoinDateAnalyzer
2025-11-27 10:36:33,828 [macaron.util:send_get_http_raw:166] [DEBUG] GET - https://pypi.org/project/arrow/
2025-11-27 10:36:33,962 [macaron.util:send_get_http_raw:166] [DEBUG] GET - https://pypi.org/user/crsmithdev/
2025-11-27 10:36:34,232 [macaron.slsa_analyzer.package_registry.pypi_registry:get_maintainer_profile_page:434] [DEBUG] URL returned a JavaScript Challenge: https://pypi.org/user/crsmithdev/
2025-11-27 10:36:34,234 [macaron.util:send_get_http_raw:166] [DEBUG] GET - https://pypi.org/user/krisfremen/
2025-11-27 10:36:34,505 [macaron.slsa_analyzer.package_registry.pypi_registry:get_maintainer_profile_page:434] [DEBUG] URL returned a JavaScript Challenge: https://pypi.org/user/krisfremen/
2025-11-27 10:36:34,508 [macaron.util:send_get_http_raw:166] [DEBUG] GET - https://pypi.org/user/systemcatch/
2025-11-27 10:36:34,777 [macaron.slsa_analyzer.package_registry.pypi_registry:get_maintainer_profile_page:434] [DEBUG] URL returned a JavaScript Challenge: https://pypi.org/user/systemcatch/
2025-11-27 10:36:34,779 [macaron.util:send_get_http_raw:166] [DEBUG] GET - https://pypi.org/user/jadchaar/
2025-11-27 10:36:35,032 [macaron.slsa_analyzer.package_registry.pypi_registry:get_maintainer_profile_page:434] [DEBUG] URL returned a JavaScript Challenge: https://pypi.org/user/jadchaar/
2025-11-27 10:36:35,035 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating SuspiciousSetupAnalyzer
2025-11-27 10:36:35,035 [macaron.slsa_analyzer.package_registry.pypi_registry:get_sourcecode_url:682] [DEBUG] Found source URL: https://files.pythonhosted.org/packages/2e/00/0f6e8fcdb23ea632c866620cc872729ff43ed91d284c866b515c6342b173/arrow-1.3.0.tar.gz
2025-11-27 10:36:35,135 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating WheelAbsenceAnalyzer
2025-11-27 10:36:35,136 [macaron.util:send_head_http_raw:90] [DEBUG] HEAD - https://inspector.pypi.io/project/arrow/1.3.0/packages/f8/ed/e97229a566617f2ae958a6b13e7cc0f585470eac730a73e9e82c32a3cdd2/arrow-1.3.0-py3-none-any.whl
2025-11-27 10:36:35,414 [macaron.util:send_head_http_raw:90] [DEBUG] HEAD - https://inspector.pypi.io/project/arrow/1.3.0/packages/2e/00/0f6e8fcdb23ea632c866620cc872729ff43ed91d284c866b515c6342b173/arrow-1.3.0.tar.gz
2025-11-27 10:36:35,671 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating AnomalousVersionAnalyzer
2025-11-27 10:36:35,672 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating TyposquattingPresenceAnalyzer
2025-11-27 10:36:35,674 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating FakeEmailAnalyzer
2025-11-27 10:36:35,674 [macaron.json_tools:json_extract:56] [DEBUG] Found value of incorrect type: <class 'NoneType'> instead of <class 'str'>.
2025-11-27 10:36:35,712 [macaron.malware_analyzer.pypi_heuristics.metadata.fake_email:analyze:135] [DEBUG] Email crsmithdev@gmail.com normalized to crsmithdev@gmail.com
2025-11-27 10:36:35,712 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating SimilarProjectAnalyzer
2025-11-27 10:36:35,712 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating PackageDescriptionIntentAnalyzer
2025-11-27 10:36:35,712 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:run_heuristics:229] [DEBUG] Instantiating TypeStubFileAnalyzer
2025-11-27 10:36:35,712 [macaron.slsa_analyzer.package_registry.pypi_registry:get_sourcecode_url:682] [DEBUG] Found source URL: https://files.pythonhosted.org/packages/2e/00/0f6e8fcdb23ea632c866620cc872729ff43ed91d284c866b515c6342b173/arrow-1.3.0.tar.gz
2025-11-27 10:36:35,799 [macaron.slsa_analyzer.package_registry.pypi_registry:download_package_sourcecode:284] [DEBUG] Temporary download and unzip of arrow-1.3.0.tar.gz stored in /var/folders/mw/_8prclr553dg_rm79zgc72yw0000gp/T/arrow-1.3.0_nimhm5yh/arrow-1.3.0
2025-11-27 10:36:35,800 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:evaluate_heuristic_results:191] [DEBUG] Problog model used for evaluation:
empty_project_link :- true.
source_code_repo :- true.
one_release :- true.
high_release_frequency :- true.
closer_release_join_date :- false.
suspicious_setup :- true.
wheel_absence :- true.
typosquatting_presence :- true.
fake_email :- true.
package_description_intent :- false.
type_stub_file :- false.
% ----- Wrappers ------
% When a heuristic is skipped, it is ommitted from the problog model facts definition. This means that references in this
% static model must account for when they are not existent. These wrappers perform this function using the inbuilt try_call
% problog function. It will try to evaluate the provided logic, and return false if it encounters an error, such as the fact
% not being defined. For example, you are expecting A to pass, so we do:
%
% passed(A)
%
% If A was 'true', then this will return true, as A did pass. If A was 'false', then this will return false, as A did not pass.
% If A was not defined, then this will return false, as A did not pass.
% Please use these wrappers throughout the problog model for logic definitions.
passed(H) :- try_call(H).
failed(H) :- try_call(not H).
% ----- Heuristic groupings -----
% These are common combinations of heuristics that are used in many of the rules, thus themselves representing
% certain behaviors. When changing or adding rules here, if there are frequent combinations of particular
% heuristics, group them together here.
% Maintainer has recently joined, publishing an undetailed page with no links.
quickUndetailed :- failed(empty_project_link), failed(closer_release_join_date).
% Maintainer releases a suspicious setup.py and forces it to run by omitting a .whl file.
forceSetup :- failed(suspicious_setup), failed(wheel_absence).
% ----- Suspicious Combinations -----
% Package released recently with little detail, forcing the setup.py to run.
1.0::trigger(malware_high_confidence_1) :-
quickUndetailed, forceSetup, failed(one_release).
1.0::trigger(malware_high_confidence_2) :-
quickUndetailed, forceSetup, failed(high_release_frequency).
% Package released recently with little detail, with some more refined trust markers introduced: project links,
% multiple different releases, but there is no source code repository matching it and the setup is suspicious.
1.0::trigger(malware_high_confidence_3) :-
failed(source_code_repo),
failed(high_release_frequency),
passed(unchanged_release),
failed(closer_release_join_date),
forceSetup.
% Package released recently with little detail, forcing setup.py to run, and suspected of typosquatting.
1.0::trigger(malware_high_confidence_4) :-
quickUndetailed,
forceSetup,
failed(typosquatting_presence).
% Package forces setup.py to run, has a high version number and is not intended to be a stub package.
1.0::trigger(malware_high_confidence_5) :-
forceSetup,
failed(stub_name),
failed(anomalous_version).
% Package released recently with little detail, with multiple releases as a trust marker, but frequent and with
% the same code.
0.7::trigger(malware_medium_confidence_1) :-
quickUndetailed,
failed(high_release_frequency),
failed(unchanged_release),
passed(suspicious_setup).
% Package released recently with little detail and an anomalous version number for a single-release package. The
% package is not intended to be a stub package.
0.7::trigger(malware_medium_confidence_2) :-
quickUndetailed,
failed(one_release),
failed(anomalous_version),
failed(type_stub_file),
failed(package_description_intent).
% Package has no links, one release or multiple quick releases, and a suspicious maintainer who recently
% joined, has a fake email address, and other similarly-structured projects.
0.7::trigger(malware_medium_confidence_3) :-
quickUndetailed,
failed(similar_projects),
failed(one_release),
failed(fake_email).
0.7::trigger(malware_medium_confidence_4) :-
quickUndetailed,
failed(similar_projects),
failed(high_release_frequency),
failed(fake_email).
% ----- Evaluation -----
% Aggregate result
result :- trigger(malware_high_confidence_1).
result :- trigger(malware_high_confidence_2).
result :- trigger(malware_high_confidence_3).
result :- trigger(malware_high_confidence_4).
result :- trigger(malware_high_confidence_5).
result :- trigger(malware_medium_confidence_1).
result :- trigger(malware_medium_confidence_2).
result :- trigger(malware_medium_confidence_3).
result :- trigger(malware_medium_confidence_4).
query(result).
% Explainability
query(trigger(_)).
2025-11-27 10:36:35,807 [macaron.slsa_analyzer.checks.detect_malicious_metadata_check:analyze_source:144] [DEBUG] Instantiating PyPISourcecodeAnalyzer
2025-11-27 10:36:35,807 [macaron.malware_analyzer.pypi_heuristics.sourcecode.pypi_sourcecode_analyzer:_load_defaults:112] [DEBUG] No custom path listed under custom_semgrep_rules_path, using default rules only.
2025-11-27 10:36:35,819 [macaron.malware_analyzer.pypi_heuristics.sourcecode.pypi_sourcecode_analyzer:_load_defaults:182] [DEBUG] Disabling the following rules: {'exfiltration_remote-exfiltration'}.
2025-11-27 10:36:35,819 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_detect_malicious_metadata_1 run PASSED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:35,820 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['result: {"empty_project_link": "PASS", "source_code_repo": "PASS", "one_release": "PASS", "high_release_frequency": "PASS", "unchanged_release": "SKIP", "closer_release_join_date": "FAIL", "suspicious_setup": "PASS", "wheel_absence": "PASS", "anomalous_version": "SKIP", "typosquatting_presence": "PASS", "fake_email": "PASS", "similar_projects": "SKIP", "package_description_intent": "FAIL", "type_stub_file": "FAIL", "suspicious_patterns": "SKIP"}'])]
2025-11-27 10:36:35,820 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:35,820 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_scm_authenticity_1
2025-11-27 10:36:35,820 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:35,820 [macaron.util:send_get_http_raw:166] [DEBUG] GET - https://api.deps.dev/v3alpha/projects/github.com%2Farrow-py%2Farrow
2025-11-27 10:36:35,970 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_scm_authenticity_1 run UNKNOWN on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:35,970 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.MEDIUM: 0.7>, ['stars_count: 8963', 'fork_count: 701', 'status: unknown', 'reason: unsupported_type', 'build_tool: flit', {'repo_link': 'https://github.com/arrow-py/arrow'}]), (<Confidence.MEDIUM: 0.7>, ['stars_count: 8963', 'fork_count: 701', 'status: unknown', 'reason: unsupported_type', 'build_tool: pip', {'repo_link': 'https://github.com/arrow-py/arrow'}])]
2025-11-27 10:36:35,970 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:35,970 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_provenance_derived_commit_1
2025-11-27 10:36:35,970 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_provenance_derived_commit_1 run FAILED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['Not Available.'])]
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance conforms with expectations: set to False.
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_provenance_derived_repo_1
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_provenance_derived_repo_1 run FAILED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['Not Available.'])]
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance conforms with expectations: set to False.
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_provenance_verified_1
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_provenance_verified_1 run FAILED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['Not Available.'])]
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance conforms with expectations: set to False.
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_provenance_expectation_1
2025-11-27 10:36:35,971 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.checks.base_check:run:110] [DEBUG] Check mcn_provenance_expectation_1 is skipped on target pkg:pypi/arrow@1.3.0, comment: Check mcn_provenance_expectation_1 is set to FAILED because mcn_provenance_available_1 FAILED.
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance conforms with expectations: set to False.
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_provenance_witness_level_one_1
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.checks.base_check:run:110] [DEBUG] Check mcn_provenance_witness_level_one_1 is skipped on target pkg:pypi/arrow@1.3.0, comment: Check mcn_provenance_witness_level_one_1 is set to FAILED because mcn_provenance_available_1 FAILED.
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance - Available: set to False.
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance content - Identifies build instructions: set to False.
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance content - Identifies artifacts: set to False.
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Provenance content - Identifies builder: set to False.
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_build_script_1
2025-11-27 10:36:35,972 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:35,973 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_build_script_1 run PASSED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:35,973 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['build_tool_name: pip', 'ci_service_name: github_actions', 'language: BuildLanguage.PYTHON', 'build_tool_command: ["pip", "install", "-U", "pip", "setuptools", "wheel"]', {'build_trigger': 'https://github.com/arrow-py/arrow/blob/87a1a774aad0505d9da18ad1d16f6e571f262503/.github/workflows/continuous_integration.yml'}]), (<Confidence.HIGH: 1.0>, ['build_tool_name: pip', 'ci_service_name: github_actions', 'language: BuildLanguage.PYTHON', 'build_tool_command: ["pip", "install", "-U", "pip", "setuptools", "wheel"]', {'build_trigger': 'https://github.com/arrow-py/arrow/blob/87a1a774aad0505d9da18ad1d16f6e571f262503/.github/workflows/continuous_integration.yml'}]), (<Confidence.HIGH: 1.0>, ['build_tool_name: pip', 'ci_service_name: github_actions', 'language: BuildLanguage.PYTHON', 'build_tool_command: ["pip", "install", "-U", "tox", "tox-gh-actions"]', {'build_trigger': 'https://github.com/arrow-py/arrow/blob/87a1a774aad0505d9da18ad1d16f6e571f262503/.github/workflows/continuous_integration.yml'}]), (<Confidence.HIGH: 1.0>, ['build_tool_name: pip', 'ci_service_name: github_actions', 'language: BuildLanguage.PYTHON', 'build_tool_command: ["pip", "install", "-U", "tox"]', {'build_trigger': 'https://github.com/arrow-py/arrow/blob/87a1a774aad0505d9da18ad1d16f6e571f262503/.github/workflows/continuous_integration.yml'}]), (<Confidence.HIGH: 1.0>, ['build_tool_name: pip', 'ci_service_name: github_actions', 'language: BuildLanguage.PYTHON', 'build_tool_command: ["pip", "install", "-U", "pip", "setuptools", "wheel"]', {'build_trigger': 'https://github.com/arrow-py/arrow/blob/87a1a774aad0505d9da18ad1d16f6e571f262503/.github/workflows/release.yml'}]), (<Confidence.HIGH: 1.0>, ['build_tool_name: pip', 'ci_service_name: github_actions', 'language: BuildLanguage.PYTHON', 'build_tool_command: ["pip", "install", "-U", "tox"]', {'build_trigger': 'https://github.com/arrow-py/arrow/blob/87a1a774aad0505d9da18ad1d16f6e571f262503/.github/workflows/release.yml'}])]
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Scripted Build: set to True.
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_build_tool_1
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_build_tool_1 run PASSED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['build_tool_name: flit', 'language: python']), (<Confidence.HIGH: 1.0>, ['build_tool_name: pip', 'language: python'])]
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Scripted Build: set to True.
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_githubactions_vulnerabilities_1
2025-11-27 10:36:35,974 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:35,974 [macaron.util:send_post_http_raw:235] [DEBUG] POST - https://api.osv.dev/v1/querybatch
2025-11-27 10:36:36,495 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_githubactions_vulnerabilities_1 run PASSED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:36,495 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['Not Available.'])]
2025-11-27 10:36:36,495 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Security: set to True.
2025-11-27 10:36:36,495 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:36,495 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_trusted_builder_level_three_1
2025-11-27 10:36:36,495 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.checks.trusted_builder_l3_check:run_check:126] [DEBUG] Workflow release.yml is not relevant. Skipping...
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.checks.trusted_builder_l3_check:run_check:126] [DEBUG] Workflow continuous_integration.yml is not relevant. Skipping...
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_trusted_builder_level_three_1 run FAILED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['Not Available.'])]
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Hermetic: set to False.
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Isolated: set to False.
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Parameterless: set to False.
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Ephemeral environment: set to False.
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_build_as_code_1
2025-11-27 10:36:36,496 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:36,497 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_build_as_code_1 run FAILED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:36,497 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['Not Available.'])]
2025-11-27 10:36:36,497 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Build as code: set to False.
2025-11-27 10:36:36,497 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:36,497 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_build_service_1
2025-11-27 10:36:36,497 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:36,498 [macaron.slsa_analyzer.checks.base_check:run:118] [INFO] Check mcn_build_service_1 run FAILED on target pkg:pypi/arrow@1.3.0.
2025-11-27 10:36:36,498 [macaron.slsa_analyzer.checks.base_check:run:124] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['Not Available.'])]
2025-11-27 10:36:36,498 [macaron.slsa_analyzer.analyze_context:update_req_status:197] [DEBUG] Update requirement Build service: set to False.
2025-11-27 10:36:36,498 [macaron.slsa_analyzer.checks.base_check:run:100] [INFO] ----------------------------------
2025-11-27 10:36:36,498 [macaron.slsa_analyzer.checks.base_check:run:101] [INFO] BEGIN CHECK: mcn_find_artifact_pipeline_1
2025-11-27 10:36:36,498 [macaron.slsa_analyzer.checks.base_check:run:102] [INFO] ----------------------------------
2025-11-27 10:36:36,498 [macaron.slsa_analyzer.checks.base_check:run:110] [DEBUG] Check mcn_find_artifact_pipeline_1 is skipped on target pkg:pypi/arrow@1.3.0, comment: Check mcn_find_artifact_pipeline_1 is set to SKIPPED because mcn_build_as_code_1 FAILED.
2025-11-27 10:36:36,498 [macaron.slsa_analyzer.analyzer:run:215] [INFO] Skipping automatic dependency analysis...
2025-11-27 10:36:36,499 [macaron.slsa_analyzer.analyzer:run:273] [INFO] Found no dependencies to analyze.
2025-11-27 10:36:36,499 [macaron.slsa_analyzer.database_store:store_analyze_context_to_db:24] [DEBUG] Inserting result of pkg:pypi/arrow@1.3.0 to macaron.db
2025-11-27 10:36:36,514 [macaron.output_reporter.reporter:write_file:65] [INFO] Writing to file output/reports/pypi/arrow/arrow.html
2025-11-27 10:36:36,515 [macaron.output_reporter.reporter:write_file:65] [INFO] Writing to file output/reports/pypi/arrow/dependencies.json
2025-11-27 10:36:36,516 [macaron.output_reporter.reporter:write_file:65] [INFO] Writing to file output/reports/pypi/arrow/arrow.json
2025-11-27 10:36:36,516 [macaron.slsa_analyzer.analyzer:run:294] [DEBUG]
pkg:pypi/arrow@1.3.0 ANALYSIS RESULT:
CHECK RESULTS:
Check mcn_provenance_available_1: Check whether the target has intoto provenance.
FAILED
Check mcn_version_control_system_1: Check whether the target repo uses a version control system.
PASSED
Check mcn_detect_malicious_metadata_1: Check if the package is malicious.
PASSED
Check mcn_scm_authenticity_1: Check whether the claims of a source repository provenance made by a package can be corroborated. At this moment, this check only supports Maven packages, or packages with a from-provenance repository, and returns UNKNOWN for others.
UNKNOWN
Check mcn_provenance_derived_commit_1: Check whether the commit came from provenance.
FAILED
Check mcn_provenance_derived_repo_1: Check whether the repo came from provenance.
FAILED
Check mcn_provenance_verified_1: Check whether the provenance is verified.
FAILED
Check mcn_provenance_expectation_1: Check whether the SLSA provenance for the produced artifact conforms to the expected value.
FAILED
Check mcn_provenance_witness_level_one_1: Check whether the target has a level-1 witness provenance.
FAILED
Check mcn_build_script_1: Check if the target repo has a valid build script.
PASSED
Check mcn_build_tool_1: Detect the build tool used in the source code repository to build the software component.
PASSED
Check mcn_githubactions_vulnerabilities_1: Check whether the GitHub Actions called from the corresponding repo have known vulnerabilities..
PASSED
Check mcn_trusted_builder_level_three_1: Check whether the target uses a trusted SLSA level 3 builder.
FAILED
Check mcn_build_as_code_1: Check if the build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.
FAILED
Check mcn_build_service_1: Check if the target repo has a valid build service.
FAILED
Check mcn_find_artifact_pipeline_1: Detects pipelines from which an artifact is published.
When a verifiable provenance is found for an artifact, we use it to obtain the pipeline trigger.
SKIPPED
5 checks PASSED
9 checks FAILED
1 checks SKIPPED
0 checks DISABLED
1 checks UNKNOWN
SLSA REQUIREMENT RESULTS:
SLSA Level 1:
- Scripted build: PASSED
- Provenance - available: FAILED
- Provenance content - identifies artifacts: FAILED
- Provenance content - identifies builder: FAILED
- Provenance content - identifies build instructions: FAILED
SLSA Level 2:
- Version controlled: PASSED
- Build service: FAILED
SLSA Level 3:
- Build as code: FAILED
- Ephemeral environment: FAILED
- Isolated: FAILED
- Provenance conforms with expectations: FAILED
SLSA Level 4:
- Parameterless: FAILED
- Hermetic: FAILED
- Security: PASSED
2025-11-27 10:36:36,517 [macaron.slsa_analyzer.analyzer:run:298] [INFO] The PURL string for the main target software component in this analysis is 'pkg:pypi/arrow@1.3.0'.
2025-11-27 10:36:36,517 [macaron.slsa_analyzer.analyzer:run:302] [INFO] Analysis Completed!Environment Information
Operating System: macOS Sequoia 15.7.2
CPU architecture information: Apple M2 Pro
Bash Version: 5.3.3(1)-release
Docker or Podman Version: docker version 5.6.0
I am building Macaron from source on the main branch
Macaron Version: macaron 0.17.0
Screenshots or Logs
