chore: require proper verification to report level 3 in verification …

…check Signed-off-by: Ben Selwyn-Smith <[email protected]>
oracle · Jul 31, 2024 · cbc7376 · cbc7376
1 parent 927d8c3
commit cbc7376
Showing 1 changed file with 14 additions and 16 deletions.
diff --git a/src/macaron/slsa_analyzer/checks/provenance_verified_check.py b/src/macaron/slsa_analyzer/checks/provenance_verified_check.py
@@ -79,37 +79,35 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         if predicate:
             build_type = json_extract(predicate, ["buildType"], str)
 
-        if build_type and build_type == "https://github.com/slsa-framework/slsa-github-generator/generic@v1":
-            # Provenance is created by the SLSA GitHub generator and therefore verified.
+        if not ctx.dynamic_data["provenance_verified"]:
+            # Provenance is not verified.
             return CheckResultData(
                 result_tables=[
-                    ProvenanceVerifiedFacts(build_level=3, build_type=build_type, confidence=Confidence.HIGH)
+                    ProvenanceVerifiedFacts(
+                        build_level=1,
+                        build_type=build_type,
+                        confidence=Confidence.HIGH,
+                    )
                 ],
-                result_type=CheckResultType.PASSED,
+                result_type=CheckResultType.FAILED,
             )
 
-        if not ctx.dynamic_data["provenance_verified"]:
-            # Provenance is not verified.
+        if not (build_type and build_type == "https://github.com/slsa-framework/slsa-github-generator/generic@v1"):
+            # Provenance is verified.
             return CheckResultData(
                 result_tables=[
                     ProvenanceVerifiedFacts(
-                        build_level=1,
+                        build_level=2,
                         build_type=build_type,
                         confidence=Confidence.HIGH,
                     )
                 ],
-                result_type=CheckResultType.FAILED,
+                result_type=CheckResultType.PASSED,
             )
 
-        # Provenance is verified.
+        # Provenance is created by the SLSA GitHub generator and verified.
         return CheckResultData(
-            result_tables=[
-                ProvenanceVerifiedFacts(
-                    build_level=2,
-                    build_type=build_type,
-                    confidence=Confidence.HIGH,
-                )
-            ],
+            result_tables=[ProvenanceVerifiedFacts(build_level=3, build_type=build_type, confidence=Confidence.HIGH)],
             result_type=CheckResultType.PASSED,
         )