search

oracle / macaron

Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, detect malicious Python packages, or check conformance to frameworks, such as SLSA. Documentation:
https://oracle.github.io/macaron/
Universal Permissive License v1.0
140 stars 23 forks source link

Discuss OpenChain and ISO compliance #870

Open jenstroeger opened 2 months ago

jenstroeger commented 2 months ago

The OpenChain project maintains two ISO standards related to software supply chains (ISO/IEC 5230 and ISO/IEC 18974), and for more context see also Transforming the Supply Chain with Openchain.

I’ve not yet noodled through these sources thoroughly and in depth, but I wanted to start a discussion on whether it would make sense for Macaron to provide a set of policies that check for compliance. In other words: if a package passes those policies it would comply to the OpenChain & ISO requirements.

behnazh-w commented 2 months ago

Thanks @jenstroeger . To enable Macaron to check compliance with these ISO standards, we need to first identify which additional checks are required to collect the required evidence. Then we can design Datalog policies that enforce compliance with each standard.

The current checks in Macaron are listed here. We need to determine which additional checks are required.

We also need to create new Datalog policies. The policy that the Graal Development Kit (GDK) team is using in their build pipeline for SLSA compliance can be found here as an example. We can add similar policies for the ISO standards that verify the relevant checks in Macaron pass.