refactor: run source code analysis by default and remove cli option

Signed-off-by: Carl Flottmann <[email protected]>

Author: art1f1c3R

src/macaron/__main__.py

@@ -96,10 +96,6 @@ def analyze_slsa_levels_single(analyzer_single_args: argparse.Namespace) -> None
 
         global_config.local_maven_repo = user_provided_local_maven_repo
 
-    if analyzer_single_args.force_analyze_source and not analyzer_single_args.analyze_source:
-        logger.error("'--force-analyze-source' requires '--analyze-source'.")
-        sys.exit(os.EX_USAGE)
-
     analyzer = Analyzer(global_config.output_path, global_config.build_log_path)
 
     # Initiate reporters.
@@ -177,7 +173,6 @@ def analyze_slsa_levels_single(analyzer_single_args: argparse.Namespace) -> None
         deps_depth,
         provenance_payload=prov_payload,
         verify_provenance=analyzer_single_args.verify_provenance,
-        analyze_source=analyzer_single_args.analyze_source,
         force_analyze_source=analyzer_single_args.force_analyze_source,
     )
     sys.exit(status_code)
@@ -481,23 +476,11 @@ def main(argv: list[str] | None = None) -> None:
         ),
     )
 
-    single_analyze_parser.add_argument(
-        "--analyze-source",
-        required=False,
-        action="store_true",
-        help=(
-            "For improved malware detection, analyze the source code of the"
-            + " (PyPI) package using a textual scan and dataflow analysis."
-        ),
-    )
-
     single_analyze_parser.add_argument(
         "--force-analyze-source",
         required=False,
         action="store_true",
-        help=(
-            "Forces PyPI sourcecode analysis to run regardless of other heuristic results. Requires '--analyze-source'."
-        ),
+        help=("Forces PyPI sourcecode analysis to run regardless of other heuristic results."),
     )
 
     single_analyze_parser.add_argument(

src/macaron/slsa_analyzer/analyze_context.py

@@ -51,8 +51,6 @@ class ChecksOutputs(TypedDict):
     """The provenance and related information."""
     local_artifact_paths: list[str]
     """The local artifact absolute paths."""
-    analyze_source: bool
-    """True when PyPI source code analysis has been enabled."""
     force_analyze_source: bool
     """When True, enforces running source code analysis, regardless of other heuristic results."""
 
@@ -108,7 +106,6 @@ def __init__(
             expectation=None,
             provenance_info=None,
             local_artifact_paths=[],
-            analyze_source=False,
             force_analyze_source=False,
         )
 

src/macaron/slsa_analyzer/analyzer.py

@@ -148,7 +148,6 @@ def run(
         deps_depth: int = 0,
         provenance_payload: InTotoPayload | None = None,
         verify_provenance: bool = False,
-        analyze_source: bool = False,
         force_analyze_source: bool = False,
     ) -> int:
         """Run the analysis and write results to the output path.
@@ -168,8 +167,6 @@ def run(
             The provenance intoto payload for the main software component.
         verify_provenance: bool
             Enable provenance verification if True.
-        analyze_source : bool
-            When true, triggers source code analysis for PyPI packages. Defaults to False.
         force_analyze_source : bool
             When true, enforces running source code analysis regardless of other heuristic results. Defaults to False.
 
@@ -205,7 +202,6 @@ def run(
                     analysis,
                     provenance_payload=provenance_payload,
                     verify_provenance=verify_provenance,
-                    analyze_source=analyze_source,
                     force_analyze_source=force_analyze_source,
                 )
 
@@ -325,7 +321,6 @@ def run_single(
         existing_records: dict[str, Record] | None = None,
         provenance_payload: InTotoPayload | None = None,
         verify_provenance: bool = False,
-        analyze_source: bool = False,
         force_analyze_source: bool = False,
     ) -> Record:
         """Run the checks for a single repository target.
@@ -345,8 +340,6 @@ def run_single(
             The provenance intoto payload for the analyzed software component.
         verify_provenance: bool
             Enable provenance verification if True.
-        analyze_source : bool
-            When true, triggers source code analysis for PyPI packages. Defaults to False.
         force_analyze_source : bool
             When true, enforces running source code analysis regardless of other heuristic results. Defaults to False.
 
@@ -583,7 +576,6 @@ def run_single(
                 # TODO Add release digest.
             )
 
-        analyze_ctx.dynamic_data["analyze_source"] = analyze_source
         analyze_ctx.dynamic_data["force_analyze_source"] = force_analyze_source
 
         if local_artifact_dirs:

src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

@@ -107,7 +107,7 @@ def _should_skip(
 
     def analyze_source(
         self, pypi_package_json: PyPIPackageJsonAsset, results: dict[Heuristics, HeuristicResult], force: bool = False
-    ) -> tuple[HeuristicResult, dict[str, JsonType]]:
+    ) -> tuple[dict[Heuristics, HeuristicResult], dict[str, JsonType]]:
         """Analyze the source code of the package with a textual scan, looking for malicious code patterns.
 
         Parameters
@@ -122,7 +122,7 @@ def analyze_source(
 
         Returns
         -------
-        tuple[HeuristicResult, dict[str, JsonType]]
+        tuple[dict[Heuristics, HeuristicResult], dict[str, JsonType]]
             Containing the analysis results and relevant patterns identified.
 
         Raises
@@ -136,11 +136,13 @@ def analyze_source(
         analyzer = PyPISourcecodeAnalyzer()
 
         if not force and analyzer.depends_on and self._should_skip(results, analyzer.depends_on):
-            return HeuristicResult.SKIP, {}
+            return {analyzer.heuristic: HeuristicResult.SKIP}, {}
 
         try:
             with pypi_package_json.sourcecode():
-                return analyzer.analyze(pypi_package_json)
+                result, detail_info = analyzer.analyze(pypi_package_json)
+                return {analyzer.heuristic: result}, detail_info
+
         except SourceCodeError as error:
             error_msg = f"Unable to perform analysis, source code not available: {error}"
             logger.debug(error_msg)
@@ -310,23 +312,22 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
                             confidence = Confidence.HIGH
                             result_type = CheckResultType.PASSED
 
-                        # optional sourcecode analysis feature
-                        if ctx.dynamic_data["analyze_source"]:
-                            try:
-                                sourcecode_result, sourcecode_detail_info = self.analyze_source(
-                                    pypi_package_json, heuristic_results, force=ctx.dynamic_data["force_analyze_source"]
-                                )
-                            except (HeuristicAnalyzerValueError, ConfigurationError):
-                                return CheckResultData(result_tables=[], result_type=CheckResultType.UNKNOWN)
-
-                            heuristic_results[Heuristics.SUSPICIOUS_PATTERNS] = sourcecode_result
-                            heuristics_detail_info.update(sourcecode_detail_info)
-
-                            if sourcecode_result == HeuristicResult.FAIL:
-                                if result_type == CheckResultType.PASSED:
-                                    # heuristics determined it benign, so lower the confidence
-                                    confidence = Confidence.LOW
-                                result_type = CheckResultType.FAILED
+                        # Source code analysis
+                        try:
+                            sourcecode_result, sourcecode_detail_info = self.analyze_source(
+                                pypi_package_json, heuristic_results, force=ctx.dynamic_data["force_analyze_source"]
+                            )
+                        except (HeuristicAnalyzerValueError, ConfigurationError):
+                            return CheckResultData(result_tables=[], result_type=CheckResultType.UNKNOWN)
+
+                        heuristic_results.update(sourcecode_result)
+                        heuristics_detail_info.update(sourcecode_detail_info)
+
+                        if sourcecode_result[Heuristics.SUSPICIOUS_PATTERNS] == HeuristicResult.FAIL:
+                            if result_type == CheckResultType.PASSED:
+                                # heuristics determined it benign, so lower the confidence
+                                confidence = Confidence.LOW
+                            result_type = CheckResultType.FAILED
 
                         result_tables.append(
                             MaliciousMetadataFacts(

tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/test.yaml

@@ -79,7 +79,6 @@ steps:
     - pkg:pypi/[email protected]
     - --python-venv
     - ./django_venv
-    - --analyze-source
     - --force-analyze-source
 - name: Run macaron verify-policy to check the package was not marked as malicious.
   kind: verify

tests/slsa_analyzer/checks/test_detect_malicious_metadata_check.py

@@ -59,7 +59,7 @@ def test_detect_malicious_metadata(
     pypi_registry = PyPIRegistry()
     ctx.dynamic_data["package_registries"] = [PackageRegistryInfo("pip", "pypi", pypi_registry)]
     if sourcecode_analysis:
-        ctx.dynamic_data["analyze_source"] = True
+        ctx.dynamic_data["force_analyze_source"] = True
 
     mock_global_config.resources_path = os.path.join(MACARON_PATH, "resources")