diff --git a/src/macaron/__main__.py b/src/macaron/__main__.py index d1180d9bb..ee78d6acd 100644 --- a/src/macaron/__main__.py +++ b/src/macaron/__main__.py @@ -197,6 +197,7 @@ def verify_policy(verify_policy_args: argparse.Namespace) -> int: show_prelude(verify_policy_args.database) return os.EX_OK + policy_content = None if verify_policy_args.file: if not os.path.isfile(verify_policy_args.file): logger.critical('The policy file "%s" does not exist.', verify_policy_args.file) @@ -204,7 +205,23 @@ def verify_policy(verify_policy_args: argparse.Namespace) -> int: with open(verify_policy_args.file, encoding="utf-8") as file: policy_content = file.read() + elif verify_policy_args.policy: + policy_dir = os.path.join(macaron.MACARON_PATH, "resources/policies/datalog") + available_policies = [policy[:-12] for policy in os.listdir(policy_dir) if policy.endswith(".dl.template")] + if verify_policy_args.policy not in available_policies: + logger.error( + "The policy %s is not available. Available policies are: %s", + verify_policy_args.policy, + available_policies, + ) + return os.EX_USAGE + policy_path = os.path.join(policy_dir, f"{verify_policy_args.policy}.dl.template") + with open(policy_path, encoding="utf-8") as file: + policy_content = file.read() + if verify_policy_args.package_url: + policy_content = policy_content.replace("", verify_policy_args.package_url) + if policy_content: result = run_policy_engine(verify_policy_args.database, policy_content) vsa = generate_vsa(policy_content=policy_content, policy_result=result) if vsa is not None: @@ -538,7 +555,9 @@ def main(argv: list[str] | None = None) -> None: vp_group = vp_parser.add_mutually_exclusive_group(required=True) vp_parser.add_argument("-d", "--database", required=True, type=str, help="Path to the database.") + vp_parser.add_argument("-purl", "--package-url", help="PackageURL for policy template.") vp_group.add_argument("-f", "--file", type=str, help="Path to the Datalog policy.") + vp_group.add_argument("-p", "--policy", help="Example policy to run.") vp_group.add_argument("-s", "--show-prelude", action="store_true", help="Show policy prelude.") # Find the repo and commit of a passed PURL, or the commit of a passed PURL and repo. diff --git a/src/macaron/resources/policies/datalog/check-github-actions.dl.template b/src/macaron/resources/policies/datalog/check-github-actions.dl.template new file mode 100644 index 000000000..bfd0b04d3 --- /dev/null +++ b/src/macaron/resources/policies/datalog/check-github-actions.dl.template @@ -0,0 +1,8 @@ +#include "prelude.dl" + +Policy("github_actions_vulns", component_id, "GitHub Actions Vulnerability Detection") :- + check_passed(component_id, "mcn_githubactions_vulnerabilities_1"). + +apply_policy_to("github_actions_vulns", component_id) :- + is_component(component_id, purl), + match("@.*", purl). diff --git a/src/macaron/resources/policies/datalog/malware-detection-dependencies.dl.template b/src/macaron/resources/policies/datalog/malware-detection-dependencies.dl.template new file mode 100644 index 000000000..55c2adca1 --- /dev/null +++ b/src/macaron/resources/policies/datalog/malware-detection-dependencies.dl.template @@ -0,0 +1,10 @@ +#include "prelude.dl" + +Policy("check-dependencies", component_id, "Check the dependencies of component.") :- + transitive_dependency(component_id, dependency), + check_passed(component_id, "mcn_detect_malicious_metadata_1"), + check_passed(dependency, "mcn_detect_malicious_metadata_1"). + +apply_policy_to("check-dependencies", component_id) :- + is_component(component_id, purl), + match("@.*", purl). diff --git a/src/macaron/resources/policies/datalog/malware-detection.dl.template b/src/macaron/resources/policies/datalog/malware-detection.dl.template new file mode 100644 index 000000000..38bff2c4b --- /dev/null +++ b/src/macaron/resources/policies/datalog/malware-detection.dl.template @@ -0,0 +1,9 @@ +#include "prelude.dl" + +Policy("check-component", component_id, "Check component artifacts.") :- + check_passed(component_id, "mcn_detect_malicious_metadata_1"). + + +apply_policy_to("check-component", component_id) :- + is_component(component_id, purl), + match("@.*", purl).