chore(deps): update base image, Python version to 3.11.14, and improve SLSA Verifier installation (#1257)

behnazh-w · web-flow · commit e6aee3e7ef31 · 2025-12-04T15:19:57.000+10:00
This PR updates the base image, upgrades Python to version 3.11.14 for security patches, and enhances the installation process of SLSA Verifier by adding provenance-based binary hash verification.

Signed-off-by: behnazh-w &lt;behnaz.hassanshahi@oracle.com&gt;
diff --git a/.github/workflows/test_macaron_action.yaml b/.github/workflows/test_macaron_action.yaml
@@ -61,7 +61,7 @@ jobs:
     - name: Setup Python for analyzed venv
       uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
-        python-version: 3.11.13
+        python-version: 3.11.14
 
     - name: Create and populate analyzed venv
       run: |
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -84,7 +84,7 @@ Please see the [README for the malware analyzer](./src/macaron/malware_analyzer/
 
 ### Prerequisites
 
-- Python 3.11.13
+- Python 3.11.14
 - Go 1.23
 - JDK 17
 
diff --git a/Makefile b/Makefile
@@ -94,10 +94,27 @@ setup: force-upgrade setup-go setup-binaries setup-schemastore
 setup-go:
 	go build -o $(PACKAGE_PATH)/bin/ $(REPO_PATH)/golang/cmd/...
 setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier souffle gnu-sed
+
+# Install SLSA Verifier.
+SLSA_VERIFIER_TAG := v2.7.1
+SLSA_VERIFIER_BIN := slsa-verifier-linux-amd64
+SLSA_VERIFIER_BIN_PATH := $(PACKAGE_PATH)/bin/$(SLSA_VERIFIER_BIN)
+SLSA_VERIFIER_PROVENANCE := $(SLSA_VERIFIER_BIN).intoto.jsonl
+SLSA_VERIFIER_PROVENANCE_PATH := $(PACKAGE_PATH)/bin/$(SLSA_VERIFIER_PROVENANCE)
+
 $(PACKAGE_PATH)/bin/slsa-verifier:
-	git clone --depth 1 https://github.com/slsa-framework/slsa-verifier.git -b v2.7.1
-	cd slsa-verifier/cli/slsa-verifier && go build -o $(PACKAGE_PATH)/bin/
-	cd $(REPO_PATH) && rm -rf slsa-verifier
+	mkdir -p $(PACKAGE_PATH)/bin \
+    	&& wget -O $(PACKAGE_PATH)/bin/slsa-verifier https://github.com/slsa-framework/slsa-verifier/releases/download/$(SLSA_VERIFIER_TAG)/$(SLSA_VERIFIER_BIN) \
+    	&& wget -O $(SLSA_VERIFIER_PROVENANCE_PATH) https://github.com/slsa-framework/slsa-verifier/releases/download/$(SLSA_VERIFIER_TAG)/$(SLSA_VERIFIER_PROVENANCE) \
+    	&& chmod +x $(PACKAGE_PATH)/bin/slsa-verifier \
+		&& EXPECTED_HASH=$$(jq -r '.payload' $(SLSA_VERIFIER_PROVENANCE_PATH) | base64 -d | jq -r '.subject[] | select(.name == "$(SLSA_VERIFIER_BIN)") | .digest.sha256') \
+		&& ACTUAL_HASH=$$(sha256sum $(PACKAGE_PATH)/bin/slsa-verifier | awk '{print $$1}'); \
+		if [ "$$EXPECTED_HASH" != "$$ACTUAL_HASH" ]; then \
+			echo "Hash mismatch: expected $$EXPECTED_HASH, got $$ACTUAL_HASH"; \
+			exit 1; \
+		fi
+
+# Set up schemastore for GitHub Actions specs.
 setup-schemastore: $(PACKAGE_PATH)/resources/schemastore/github-workflow.json $(PACKAGE_PATH)/resources/schemastore/LICENSE $(PACKAGE_PATH)/resources/schemastore/NOTICE
 $(PACKAGE_PATH)/resources/schemastore/github-workflow.json:
 	cd $(PACKAGE_PATH)/resources \
@@ -257,15 +274,12 @@ requirements.txt: pyproject.toml
 # editable mode (like the one in development here) because they may not have
 # a PyPI entry; also print out CVE description and potential fixes if audit
 # found an issue.
-# Ignore GHSA-4xh5-x5gv-qwph since we are using Python >=3.11.13, which is not vulnerable to this
-# CVE. Remove this once a new version of pip that fixes the CVE is released.
-# See https://github.com/pypa/pip/issues/13607
 .PHONY: audit
 audit:
 	if ! $$(python -c "import pip_audit" &> /dev/null); then \
 	  echo "No package pip_audit installed, upgrade your environment!" && exit 1; \
 	fi;
-	python -m pip_audit --skip-editable --desc on --fix --dry-run --ignore-vuln GHSA-4xh5-x5gv-qwph
+	python -m pip_audit --skip-editable --desc on --fix --dry-run
 
 # Run some or all checks over the package code base.
 .PHONY: check check-code check-bandit check-flake8 check-lint check-mypy check-go check-actionlint
diff --git a/action.yaml b/action.yaml
@@ -61,7 +61,7 @@ runs:
   - name: Setup Python
     uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
     with:
-      python-version: 3.11.13
+      python-version: 3.11.14
 
   - name: Setup Go
     uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
diff --git a/docker/Dockerfile.base b/docker/Dockerfile.base
@@ -5,15 +5,15 @@
 # to build and run the Docker image.
 # This image is based on the container-registry.oracle.com/os/oraclelinux:9-slim image and contains the following
 # components:
-#   Python3.11.13 compiled and installed from source.
+#   Python3.11.14 compiled and installed from source.
 #   Souffle 2.5 compiled and installed from source.
 #   Other runtime libraries (e.g sqlite-devel) which are installed from dnf.
 
-FROM container-registry.oracle.com/os/oraclelinux:9-slim@sha256:92deb326256d4d3053d210397b00dce9a423789d1c555adb7a3b7a1f0747ea2f
+FROM container-registry.oracle.com/os/oraclelinux:9-slim@sha256:41a867b7f24306cf38c01ba578598164397bd07aa26dbdc9a985bedd9177e82e
 
 ENV HOME="/home/macaron" \
     # Setting Python related environment variables.
-    PYTHON3_VERSION=3.11.13 \
+    PYTHON3_VERSION=3.11.14 \
     PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1 \
     # https://github.com/docker-library/python/blob/f568f56f28fab0fe87b34db777e2c2861cef002b/3.11/slim-buster/Dockerfile#L12
@@ -62,7 +62,7 @@ enabled=1\
         # Exceptions (not installed):
         #   mcpp - The package mcpp is not available in Oracle Linux 9. However, we don't use Souffle's feature
         #       that needs it.
-        #   python3 - We use the installed Python3.11.13 for this.
+        #   python3 - We use the installed Python3.11.14 for this.
         gcc-c++         \
         libffi          \
         libffi-devel    \
diff --git a/docker/Dockerfile.final b/docker/Dockerfile.final
@@ -11,7 +11,7 @@
 # Note that the local machine must login to ghcr.io so that Docker could pull the ghcr.io/oracle/macaron-base
 # image for this build.
 
-FROM ghcr.io/oracle/macaron-base:latest@sha256:e7cb431d2a870999b70a9a282a84e7b278f7a9ea91e60ba2a8efdab35b4b7e71
+FROM ghcr.io/oracle/macaron-base:latest@sha256:6d1d300d32060a75deffd2e6fce00e9f6d646df233f8df4deee2baf2982cf022
 
 ENV HOME="/home/macaron"
 
diff --git a/docs/source/pages/supported_technologies/index.rst b/docs/source/pages/supported_technologies/index.rst
@@ -123,7 +123,7 @@ Automatic dependency resolution
 
 Currently, we support the following type of project for automatic dependency resolution.
 
-* Python (with a Python virtual environment created and packages installed using Python3.11.13, see :ref:`providing Python virtual environment <python-venv-deps>`.)
+* Python (with a Python virtual environment created and packages installed using Python3.11.14, see :ref:`providing Python virtual environment <python-venv-deps>`.)
 
 --------
 See also
diff --git a/docs/source/pages/tutorials/detect_malicious_package.rst b/docs/source/pages/tutorials/detect_malicious_package.rst
@@ -190,7 +190,7 @@ Macaron supports analyzing a package's dependencies and performs the same set of
 
 Let's assume ``/tmp/.django_venv`` is the virtual environment where ``django@5.0.6`` is installed.
 
-.. note:: If you want Macaron to analyze the virtual environment directly to identify the dependencies, we require Python 3.11.13 to be used to install the package. Alternatively, you can generate the SBOM as instructed :ref:`here <python-sbom>` and pass it to Macaron as input.
+.. note:: If you want Macaron to analyze the virtual environment directly to identify the dependencies, we require Python 3.11.14 to be used to install the package. Alternatively, you can generate the SBOM as instructed :ref:`here <python-sbom>` and pass it to Macaron as input.
 
 Run Macaron as follows to analyze ``django`` and its direct dependencies.
 
diff --git a/docs/source/pages/using.rst b/docs/source/pages/using.rst
@@ -378,7 +378,7 @@ Where ``--python-venv`` is the path to virtual environment.
 
 Alternatively, you can create an SBOM for the python package and provide it to Macaron as input as explained :ref:`here <with-sbom>`.
 
-.. note:: We only support Python 3.11.13 for this feature of Macaron. Please make sure to install the package using this version of Python.
+.. note:: We only support Python 3.11.14 for this feature of Macaron. Please make sure to install the package using this version of Python.
 
 
 -----------------------------------------------
diff --git a/pyproject.toml b/pyproject.toml
@@ -9,7 +9,7 @@ build-backend = "flit_core.buildapi"
 
 [project]
 name = "macaron"
-requires-python = ">=3.11.13"
+requires-python = ">=3.11.14"
 authors = [
     {"name" = "Trong Nhan Mai", "email" = "trong.nhan.mai@oracle.com"},
     {"name" = "Behnaz Hassanshahi", "email" = "behnaz.hassanshahi@oracle.com"},
