chore: move max_download_size from slsa.verifier to downloads

Signed-off-by: Carl Flottmann <[email protected]>

Author: art1f1c3R

docs/source/pages/tutorials/provenance.rst

@@ -204,7 +204,7 @@ Build Types
 File Download Limit
 *******************
 
-To prevent analyses from taking too long, Macaron imposes a configurable size limit for downloads. This includes files being downloaded for provenance verification. In cases where the limit is being reached and you wish to continue analysis regardless, you can specify a new download size in the default configuration file. This value can be found under the ``slsa.verifier`` section, listed as ``max_download_size`` with a default limit of 10 megabytes. See :ref:`How to change the default configuration <change-config>` for more details on configuring values like these.
+To prevent analyses from taking too long, Macaron imposes a configurable size limit for downloads. This includes files being downloaded for provenance verification. In cases where the limit is being reached and you wish to continue analysis regardless, you can specify a new download size in the default configuration file. This value can be found under the ``downloads`` section, listed as ``max_download_size`` with a default limit of 10 megabytes. See :ref:`How to change the default configuration <change-config>` for more details on configuring values like these.
 
 **************************************
 Run ``verify-policy`` command (semver)

src/macaron/config/defaults.ini

@@ -10,6 +10,8 @@ error_retries = 5
 [downloads]
 # The default timeout in seconds for downloading assets.
 timeout = 120
+# This is the acceptable maximum size (in bytes) to download an asset.
+max_download_size = 10000000
 
 # This is the database to store Macaron's results.
 [database]
@@ -486,8 +488,6 @@ provenance_extensions =
     intoto.jsonl.gz
     intoto.jsonl.url
     intoto.jsonl.gz.url
-# This is the acceptable maximum size (in bytes) to download an asset.
-max_download_size = 10000000
 # This is the timeout (in seconds) to run the SLSA verifier.
 timeout = 120
 # The allowed hostnames for URL file links for provenance download

src/macaron/malware_analyzer/pypi_heuristics/sourcecode/suspicious_setup.py

@@ -56,7 +56,7 @@ def _get_setup_source_code(self, pypi_package_json: PyPIPackageJsonAsset) -> str
         with tempfile.TemporaryDirectory() as temp_dir:
             source_file = os.path.join(temp_dir, file_name)
             timeout = defaults.getint("downloads", "timeout", fallback=120)
-            size_limit = defaults.getint("slsa.verifier", "max_download_size", fallback=10000000)
+            size_limit = defaults.getint("downloads", "max_download_size", fallback=10000000)
             if not download_file_with_size_limit(sourcecode_url, {}, source_file, timeout, size_limit):
                 return None
 

src/macaron/provenance/provenance_finder.py

@@ -255,7 +255,7 @@ def find_gav_provenance(purl: PackageURL, registry: JFrogMavenRegistry) -> list[
         return []
 
     max_valid_provenance_size = defaults.getint(
-        "slsa.verifier",
+        "downloads",
         "max_download_size",
         fallback=1000000,
     )
@@ -458,7 +458,7 @@ def download_provenances_from_ci_service(ci_info: CIInfo, download_path: str) ->
         for prov_asset in prov_assets:
             # Check the size before downloading.
             if prov_asset.size_in_bytes > defaults.getint(
-                "slsa.verifier",
+                "downloads",
                 "max_download_size",
                 fallback=1000000,
             ):

src/macaron/provenance/provenance_verifier.py

@@ -190,7 +190,7 @@ def verify_ci_provenance(analyze_ctx: AnalyzeContext, ci_info: CIInfo, download_
                 return False
             if not Path(download_path, sub_asset["name"]).is_file():
                 if "size" in sub_asset and sub_asset["size"] > defaults.getint(
-                    "slsa.verifier", "max_download_size", fallback=1000000
+                    "downloads", "max_download_size", fallback=1000000
                 ):
                     logger.debug("Sub asset too large to verify: %s", sub_asset["name"])
                     return False

src/macaron/slsa_analyzer/git_service/api_client.py

@@ -643,7 +643,7 @@ def download_asset(self, url: str, download_path: str) -> bool:
         logger.debug("Download assets from %s at %s.", url, download_path)
 
         timeout = defaults.getint("downloads", "timeout", fallback=120)
-        size_limit = defaults.getint("slsa.verifier", "max_download_size", fallback=10000000)
+        size_limit = defaults.getint("downloads", "max_download_size", fallback=10000000)
         headers = {"Accept": "application/octet-stream", "Authorization": self.headers["Authorization"]}
 
         return download_file_with_size_limit(url, headers, download_path, timeout, size_limit)

src/macaron/slsa_analyzer/package_registry/maven_central_registry.py

@@ -286,7 +286,7 @@ def get_artifact_hash(self, purl: PackageURL) -> str | None:
 
         hash_algorithm = hashlib.sha256()
         timeout = defaults.getint("downloads", "timeout", fallback=120)
-        size_limit = defaults.getint("slsa.verifier", "max_download_size", fallback=10000000)
+        size_limit = defaults.getint("downloads", "max_download_size", fallback=10000000)
         if not stream_file_with_size_limit(artifact_url, {}, hash_algorithm.update, timeout, size_limit):
             return None
 

src/macaron/slsa_analyzer/package_registry/pypi_registry.py

@@ -257,7 +257,7 @@ def download_package_sourcecode(self, url: str) -> str:
         temp_dir = tempfile.mkdtemp(prefix=f"{package_name}_")
         source_file = os.path.join(temp_dir, file_name)
         timeout = defaults.getint("downloads", "timeout", fallback=120)
-        size_limit = defaults.getint("slsa.verifier", "max_download_size", fallback=10000000)
+        size_limit = defaults.getint("downloads", "max_download_size", fallback=10000000)
         if not download_file_with_size_limit(url, {}, source_file, timeout, size_limit):
             self.cleanup_sourcecode_directory(temp_dir, "Could not download the file.")
 
@@ -295,7 +295,7 @@ def get_artifact_hash(self, artifact_url: str) -> str | None:
         """
         hash_algorithm = hashlib.sha256()
         timeout = defaults.getint("downloads", "timeout", fallback=120)
-        size_limit = defaults.getint("slsa.verifier", "max_download_size", fallback=10000000)
+        size_limit = defaults.getint("downloads", "max_download_size", fallback=10000000)
         if not stream_file_with_size_limit(artifact_url, {}, hash_algorithm.update, timeout, size_limit):
             return None
 

tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/config.ini

@@ -1,5 +1,5 @@
 # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
-[slsa.verifier]
+[downloads]
 max_download_size = 15000000

tests/integration/cases/ossf_scorecard/config.ini

@@ -1,12 +1,12 @@
 # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
+[downloads]
+max_download_size = 15000000
+
 [analysis.checks]
 exclude =
 include =
     mcn_provenance_expectation_1
     mcn_provenance_verified_1
     mcn_trusted_builder_level_three_1
-
-[slsa.verifier]
-max_download_size = 15000000