Skip to content

feat: add --policy flag in verify-policy command for example policies #1189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: add --policy flag in verify-policy command for example policies #1189

wants to merge 4 commits into from

Conversation

@Demolus13
Copy link
Member

@Demolus13 Demolus13 commented Sep 28, 2025
edited
Loading

Summary

This Pull Request introduces a new --policy flag to the verify-policy command, allowing users to run example policies by name without specifying a file path. It also adds support for policy templates.

The new --policy (-p) flag executes a predefined policy template by name. If the template exists, it populates the <PACKAGE_PURL> placeholder with the value from the --package-url (-purl) argument and runs the policy. If the template name is not found, it lists all available templates.

Example policies

  1. A malware detection policy for the package (based on the malware detection tutorial)
macaron analyze -purl pkg:pypi/django@5.0.6
macaron verify-policy --database output/macaron.db --policy malware-detection -purl pkg:pypi/django
  1. A malware detection policy for the package and all its dependencies (based on the malware detection tutorial)
python3.11 -m venv /tmp/.django_venv
/tmp/.django_venv/bin/pip install django==5.0.6
macaron analyze -purl pkg:pypi/django@5.0.6 --python-venv "/tmp/.django_venv" --deps-depth=1  
macaron verify-policy --database output/macaron.db --policy malware-detection-dependencies -purl pkg:pypi/django
  1. Analyzing GitHub Actions (tutorial)
macaron analyze -purl pkg:maven/org.apache.logging.log4j/log4j-core@3.0.0-beta3
macaron verify-policy --database output/macaron.db --policy check-github-actions -purl pkg:maven/org.apache.logging.log4j/log4j-core

Description of changes

  • Added a --policy (-p) argument to the verify-policy CLI command, enabling users to select and run example policies from the built-in resources.
  • Updated the policy loading logic to support both file-based and named example policies. If a policy name is provided, the command loads the corresponding template from the resources/policies/datalog directory.
  • Added support for the --package-url (-purl) argument to substitute the <PACKAGE_PURL> placeholder in policy templates.
  • Added new example policy templates for common use cases.

Related issues

N/A

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Sep 28, 2025
@Demolus13 Demolus13 self-assigned this Sep 28, 2025
@Demolus13 Demolus13 force-pushed the pgovale/example-policies branch from 30b51e3 to ce3dfd5 Compare October 7, 2025 06:22
behnazh-w
behnazh-w reviewed Oct 30, 2025
View reviewed changes
Copy link
Member

@behnazh-w behnazh-w left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a unit test to tests/policy_engine/test_policy.py. Also add an integration test.

src/macaron/__main__.py Outdated
with open(verify_policy_args.file, encoding="utf-8") as file:
policy_content = file.read()
elif verify_policy_args.policy:
policy_dir = os.path.join(macaron.MACARON_PATH, "resources/policies/datalog")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We avoid using / in strings and instead use the os.path.join method to construct the path.

Suggested change
policy_dir = os.path.join(macaron.MACARON_PATH, "resources/policies/datalog")
policy_dir = os.path.join(macaron.MACARON_PATH, "resources", "policies", "datalog")

src/macaron/__main__.py Outdated
policy_content = file.read()
elif verify_policy_args.policy:
policy_dir = os.path.join(macaron.MACARON_PATH, "resources/policies/datalog")
available_policies = [policy[:-12] for policy in os.listdir(policy_dir) if policy.endswith(".dl.template")]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to avoid hardcoding [:-12].

Suggested change
available_policies = [policy[:-12] for policy in os.listdir(policy_dir) if policy.endswith(".dl.template")]
policy_suffix = ".dl.template"
available_policies = [
os.path.splitext(policy)[0].replace(policy_suffix, "")
for policy in os.listdir(policy_dir)
if policy.endswith(policy_suffix)
]

src/macaron/__main__.py Outdated
policy_path = os.path.join(policy_dir, f"{verify_policy_args.policy}.dl.template")
with open(policy_path, encoding="utf-8") as file:
policy_content = file.read()
if verify_policy_args.package_url:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's check that the PURL using the packageurl library, which is already a dependency of Macaron:

try:
    PackageURL.from_string(verify_policy_args.package_url)
except ValueError as error:
    logger.error("The package url %s is not valid.", verify_policy_args.package_url)
    return os.EX_USAGE

src/macaron/__main__.py
vp_parser.add_argument("-d", "--database", required=True, type=str, help="Path to the database.")
vp_parser.add_argument("-purl", "--package-url", help="PackageURL for policy template.")
vp_group.add_argument("-f", "--file", type=str, help="Path to the Datalog policy.")
vp_group.add_argument("-p", "--policy", help="Example policy to run.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
vp_group.add_argument("-p", "--policy", help="Example policy to run.")
vp_group.add_argument("-e", "--existing-policy", help="Name of the existing policy to run.")

@behnazh-w behnazh-w marked this pull request as ready for review October 30, 2025 06:55
@Demolus13 Demolus13 force-pushed the pgovale/example-policies branch from ee6a42a to ae722e9 Compare October 31, 2025 06:52
@Demolus13
feat: add --policy flag in verify-policy command for example policies
8a616b0 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
feat: add policy template modification for standardization
cd6859b 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
feat: add sample policies
c357aa6 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: improve handling of policy templates and verify packageurl
a2203de 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13 Demolus13 force-pushed the pgovale/example-policies branch from ae722e9 to a2203de Compare October 31, 2025 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w behnazh-w left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@Demolus13 Demolus13

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Demolus13 @behnazh-w