Skip to content

chore: improve max download restrictions for malicious metadata tutorial #1188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 26, 2025
Merged

chore: improve max download restrictions for malicious metadata tutorial #1188

merged 4 commits into from
Sep 26, 2025

Conversation

@art1f1c3R
Copy link
Member

@art1f1c3R art1f1c3R commented Sep 26, 2025
edited
Loading

Summary

Changes the behaviour and way max_download_size is accessed with respect to package source code analysis.

Description of changes

This PR makes two main changes. It moves the max_download_size configuration from slsa.verifier to downloads in defaults.ini, and adds a new function can_download_file that is used to check first if the source code of a package can be downloaded before acting upon this information. This is useful in DetectMaliciousMetadataCheck.analyze_source to ensure that a HeuristicAnalyzerValueError is not raised, and a subsequent UNKNOWN result is not returned if the file limit stops the source code from being downloaded.

This PR also updates the tutorial documentation to describe the changes needed to ensure some larger packages are downloaded when analyzing the source code.

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Sep 26, 2025
@art1f1c3R
chore: check file size limit before downloading source and skip to pr…
dcf073a 
…event loss of result

Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
chore: move max_download_size from slsa.verifier to downloads
162680d 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
fix: can_download_source was not looking at downloads
ac482fb 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
docs: include information in tutorial on download size for source cod…
306c5fb 
…e analysis

Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R art1f1c3R marked this pull request as ready for review September 26, 2025 06:11
@art1f1c3R art1f1c3R force-pushed the art1f1c3R/tutorial-sourcecode-download branch from 25372f0 to 306c5fb Compare September 26, 2025 06:13
@art1f1c3R art1f1c3R merged commit a9a1ecf into main Sep 26, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@art1f1c3R @behnazh-w