From c15353b4c285267ca2f6bd2c6245c41639ffa465 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Mon, 21 Aug 2023 16:45:08 +1000 Subject: [PATCH 1/4] docs: add supported technologies page Signed-off-by: Nathan Nguyen --- docs/source/index.rst | 9 +++ .../pages/supported_technologies/index.rst | 69 +++++++++++++++++++ .../pages/supported_technologies/jfrog.rst | 3 + .../pages/supported_technologies/witness.rst | 3 + 4 files changed, 84 insertions(+) create mode 100644 docs/source/pages/supported_technologies/index.rst create mode 100644 docs/source/pages/supported_technologies/jfrog.rst create mode 100644 docs/source/pages/supported_technologies/witness.rst diff --git a/docs/source/index.rst b/docs/source/index.rst index 9ac24183e..892901ed4 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -29,6 +29,14 @@ Macaron is an analysis tool which focuses on the build process for an artifact a are at a high-level, Macaron first defines these requirements as specific concrete rules that can be checked automatically. Macaron has a customizable checker platform that makes it easy to define checks that depend on each other. +--------------- +Getting started +--------------- + +To start with Macaron, see our :doc:`Installation ` and :doc:`Using ` pages. + +For all services and technologies that Macaron supports, see our :doc:`Supported Technologies ` page. + ------------------------- Current checks in Macaron ------------------------- @@ -91,4 +99,5 @@ intermediate representations as abstractions. Using such abstractions, Macaron i pages/using pages/output_files pages/cli_usage/index + pages/supported_technologies/index pages/apidoc/index diff --git a/docs/source/pages/supported_technologies/index.rst b/docs/source/pages/supported_technologies/index.rst new file mode 100644 index 000000000..1801ff653 --- /dev/null +++ b/docs/source/pages/supported_technologies/index.rst @@ -0,0 +1,69 @@ +====================== +Supported Technologies +====================== + +------------ +Git Services +------------ + +.. list-table:: + :header-rows: 1 + + * - Git Service + * - `GitHub `_ + * - `GitLab `_ + +------------ +CI Services +------------ + +.. list-table:: + :header-rows: 1 + + * - CI Service + * - `GitHub Actions `_ + + +------------------ +Package Registries +------------------ + +.. list-table:: + :widths: 25 50 25 + :header-rows: 1 + + * - Package Registry + - Support + - Documentation + * - `JFrog Artifactory `_ + - Only projects built with Gradle and publishing to a JFrog Artifactory repo following `Maven layout `_ + - :doc:`page ` + +----------- +Provenances +----------- + +.. list-table:: + :widths: 25 50 25 + :header-rows: 1 + + * - Provenance + - Support + - Documentation + * - `SLSA `_ + - Only provenances under `SLSA version 0.2 `_. + - :doc:`page ` + * - `Witness `_ + - * Only provenances under Witness version 0.1 + * Only projects built with Gradle on GitLab CI provenances and publishing provenances to JFrog Artifactory + - :doc:`page ` + +-------- +See also +-------- + +.. toctree:: + :maxdepth: 1 + + jfrog + witness diff --git a/docs/source/pages/supported_technologies/jfrog.rst b/docs/source/pages/supported_technologies/jfrog.rst new file mode 100644 index 000000000..37c73e27d --- /dev/null +++ b/docs/source/pages/supported_technologies/jfrog.rst @@ -0,0 +1,3 @@ +================= +JFrog Artifactory +================= diff --git a/docs/source/pages/supported_technologies/witness.rst b/docs/source/pages/supported_technologies/witness.rst new file mode 100644 index 000000000..96c177161 --- /dev/null +++ b/docs/source/pages/supported_technologies/witness.rst @@ -0,0 +1,3 @@ +======= +Witness +======= From 2c7b154f223f0f88f74212a6b86415b017b7cd79 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Mon, 21 Aug 2023 16:55:23 +1000 Subject: [PATCH 2/4] chore: add copyright headers for newly created rst files Signed-off-by: Nathan Nguyen --- docs/source/pages/supported_technologies/index.rst | 3 +++ docs/source/pages/supported_technologies/jfrog.rst | 3 +++ docs/source/pages/supported_technologies/witness.rst | 3 +++ 3 files changed, 9 insertions(+) diff --git a/docs/source/pages/supported_technologies/index.rst b/docs/source/pages/supported_technologies/index.rst index 1801ff653..f8c0a635b 100644 --- a/docs/source/pages/supported_technologies/index.rst +++ b/docs/source/pages/supported_technologies/index.rst @@ -1,3 +1,6 @@ +.. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + ====================== Supported Technologies ====================== diff --git a/docs/source/pages/supported_technologies/jfrog.rst b/docs/source/pages/supported_technologies/jfrog.rst index 37c73e27d..e20721b3c 100644 --- a/docs/source/pages/supported_technologies/jfrog.rst +++ b/docs/source/pages/supported_technologies/jfrog.rst @@ -1,3 +1,6 @@ +.. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + ================= JFrog Artifactory ================= diff --git a/docs/source/pages/supported_technologies/witness.rst b/docs/source/pages/supported_technologies/witness.rst index 96c177161..2373aa81f 100644 --- a/docs/source/pages/supported_technologies/witness.rst +++ b/docs/source/pages/supported_technologies/witness.rst @@ -1,3 +1,6 @@ +.. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + ======= Witness ======= From cbc7793b3950fbed6dd4c6e517ecc8601ae7e05f Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Tue, 22 Aug 2023 14:13:40 +1000 Subject: [PATCH 3/4] chore: add witness check to check table Signed-off-by: Nathan Nguyen --- docs/source/index.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/source/index.rst b/docs/source/index.rst index 892901ed4..df9215055 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -57,8 +57,11 @@ the requirements that are currently supported by Macaron. - **Scripted build** - All build steps were fully defined in a “build script”. - Identify and validate build script(s). * - 1 - - **Provenance available** - The provenance is available. - - Check for existence of SLSA provenance. If there are no SLSA provenance, the repo can still be compliant to level 1 given the build script is available. + - **Provenance available** - Provenances are available. + - Check for existence of provenances, which can be SLSA or Witness provenances. If there is no provenance, the repo can still be compliant to level 1 given the build script is available. + * - 1 + - **Witness provenance** - One or more Witness provenances are discovered. + - Check for existence of Witness provenances, and whether artifact digests match those in the provenances. * - 2 - **Build service** - All build steps are run using some build service (e.g. GitHub Actions) - Identify and validate the CI service(s) used for the build process. From 9e4dfa13baad22ecc0215160ac96dd6a54c6771c Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Tue, 22 Aug 2023 16:50:06 +1000 Subject: [PATCH 4/4] chore: add links for witness Signed-off-by: Nathan Nguyen --- docs/source/index.rst | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/source/index.rst b/docs/source/index.rst index df9215055..54cb5e964 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -7,6 +7,9 @@ :description: macaron - A CI/CD security analysis tool for supply-chain attacks :keywords: CI/CD, SLSA, supply-chain security +.. References/links +.. _Witness: https://github.com/testifysec/witness + ===================== Macaron documentation ===================== @@ -58,10 +61,10 @@ the requirements that are currently supported by Macaron. - Identify and validate build script(s). * - 1 - **Provenance available** - Provenances are available. - - Check for existence of provenances, which can be SLSA or Witness provenances. If there is no provenance, the repo can still be compliant to level 1 given the build script is available. + - Check for existence of provenances, which can be SLSA or `Witness`_ provenances. If there is no provenance, the repo can still be compliant to level 1 given the build script is available. * - 1 - - **Witness provenance** - One or more Witness provenances are discovered. - - Check for existence of Witness provenances, and whether artifact digests match those in the provenances. + - **Witness provenance** - One or more `Witness`_ provenances are discovered. + - Check for existence of `Witness`_ provenances, and whether artifact digests match those in the provenances. * - 2 - **Build service** - All build steps are run using some build service (e.g. GitHub Actions) - Identify and validate the CI service(s) used for the build process.