chore: improve SLSA verifier installation

Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>

Author: behnazh-w

CHANGELOG.md

@@ -27,7 +27,7 @@
 
 - gen-build-spec SQL query to look up build-as-code check build command joins on incorrect column (#1207)
 - handle all tarfile extract errors (#1206)
-- ensure Python 3.11.14 is used to address GHSA-4xh5-x5gv-qwph (#1197)
+- ensure Python 3.11.13 is used to address GHSA-4xh5-x5gv-qwph (#1197)
 - **docs**: path of script download example (#1193)
 - improve build tool detection (#1169)
 

Makefile

@@ -94,10 +94,27 @@ setup: force-upgrade setup-go setup-binaries setup-schemastore
 setup-go:
 	go build -o $(PACKAGE_PATH)/bin/ $(REPO_PATH)/golang/cmd/...
 setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier souffle gnu-sed
+
+# Install SLSA Verifier.
+SLSA_VERIFIER_TAG := v2.7.1
+SLSA_VERIFIER_BIN := slsa-verifier-linux-amd64
+SLSA_VERIFIER_BIN_PATH := $(PACKAGE_PATH)/bin/$(SLSA_VERIFIER_BIN)
+SLSA_VERIFIER_PROVENANCE := $(SLSA_VERIFIER_BIN).intoto.jsonl
+SLSA_VERIFIER_PROVENANCE_PATH := $(PACKAGE_PATH)/bin/$(SLSA_VERIFIER_PROVENANCE)
+
 $(PACKAGE_PATH)/bin/slsa-verifier:
-	git clone --depth 1 https://github.com/slsa-framework/slsa-verifier.git -b v2.7.1
-	cd slsa-verifier/cli/slsa-verifier && go build -o $(PACKAGE_PATH)/bin/
-	cd $(REPO_PATH) && rm -rf slsa-verifier
+	mkdir -p $(PACKAGE_PATH)/bin \
+    	&& wget -O $(PACKAGE_PATH)/bin/slsa-verifier https://github.com/slsa-framework/slsa-verifier/releases/download/$(SLSA_VERIFIER_TAG)/$(SLSA_VERIFIER_BIN) \
+    	&& wget -O $(SLSA_VERIFIER_PROVENANCE_PATH) https://github.com/slsa-framework/slsa-verifier/releases/download/$(SLSA_VERIFIER_TAG)/$(SLSA_VERIFIER_PROVENANCE) \
+    	&& chmod +x $(PACKAGE_PATH)/bin/slsa-verifier \
+		&& EXPECTED_HASH=$$(jq -r '.payload' $(SLSA_VERIFIER_PROVENANCE_PATH) | base64 -d | jq -r '.subject[] | select(.name == "$(SLSA_VERIFIER_BIN)") | .digest.sha256') \
+		&& ACTUAL_HASH=$$(sha256sum $(PACKAGE_PATH)/bin/slsa-verifier | awk '{print $$1}'); \
+		if [ "$$EXPECTED_HASH" != "$$ACTUAL_HASH" ]; then \
+			echo "Hash mismatch: expected $$EXPECTED_HASH, got $$ACTUAL_HASH"; \
+			exit 1; \
+		fi
+
+# Set up schemastore for GitHub Actions specs.
 setup-schemastore: $(PACKAGE_PATH)/resources/schemastore/github-workflow.json $(PACKAGE_PATH)/resources/schemastore/LICENSE $(PACKAGE_PATH)/resources/schemastore/NOTICE
 $(PACKAGE_PATH)/resources/schemastore/github-workflow.json:
 	cd $(PACKAGE_PATH)/resources \
@@ -257,15 +274,12 @@ requirements.txt: pyproject.toml
 # editable mode (like the one in development here) because they may not have
 # a PyPI entry; also print out CVE description and potential fixes if audit
 # found an issue.
-# Ignore GHSA-4xh5-x5gv-qwph since we are using Python >=3.11.14, which is not vulnerable to this
-# CVE. Remove this once a new version of pip that fixes the CVE is released.
-# See https://github.com/pypa/pip/issues/13607
 .PHONY: audit
 audit:
 	if ! $$(python -c "import pip_audit" &> /dev/null); then \
 	  echo "No package pip_audit installed, upgrade your environment!" && exit 1; \
 	fi;
-	python -m pip_audit --skip-editable --desc on --fix --dry-run --ignore-vuln GHSA-4xh5-x5gv-qwph
+	python -m pip_audit --skip-editable --desc on --fix --dry-run
 
 # Run some or all checks over the package code base.
 .PHONY: check check-code check-bandit check-flake8 check-lint check-mypy check-go check-actionlint

docker/Dockerfile.final

@@ -11,7 +11,7 @@
 # Note that the local machine must login to ghcr.io so that Docker could pull the ghcr.io/oracle/macaron-base
 # image for this build.
 
-FROM ghcr.io/oracle/macaron-base:latest@sha256:e7cb431d2a870999b70a9a282a84e7b278f7a9ea91e60ba2a8efdab35b4b7e71
+FROM ghcr.io/oracle/macaron-base:latest@sha256:6d1d300d32060a75deffd2e6fce00e9f6d646df233f8df4deee2baf2982cf022
 
 ENV HOME="/home/macaron"