oracle · behnazh-w · Jun 6, 2025 · May 30, 2025
@@ -93,7 +93,6 @@ setup: force-upgrade setup-go setup-binaries setup-schemastore
 	go install github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected]
 setup-go:
 	go build -o $(PACKAGE_PATH)/bin/ $(REPO_PATH)/golang/cmd/...
-	go build -o $(PACKAGE_PATH)/bin/cuevalidate.so -buildmode=c-shared $(REPO_PATH)/golang/internal/cue_validator/cue_validator.go
 setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier $(PACKAGE_PATH)/resources/mvnw $(PACKAGE_PATH)/resources/gradlew souffle gnu-sed
 $(PACKAGE_PATH)/bin/slsa-verifier:
 	git clone --depth 1 https://github.com/slsa-framework/slsa-verifier.git -b v2.6.0

@@ -1,28 +1,28 @@
 # Go module documentation
 ## Quick start
 Prerequisites
-- Go (tested on `go1.17.8 linux/amd64`). Installation instructions [here](https://go.dev/doc/install).
+- Go (tested on `go 1.23.0 linux/amd64`). Installation instructions [here](https://go.dev/doc/install).
 
 - Prepare the required libraries by running this command from the root dir of this repository:
-```
+```bash
 go mod download
 ```
 This command will download all packages as defined in [go.mod](../../../go.mod) and [go.sum](../../../go.sum).
 
 ### Project layout
 This go module follows the Golang project layout as specified in [golang-standards/project-layout](https://github.com/golang-standards/project-layout).
 
-```
+```bash
 macaron
 ├── golang
-│   ├── cmd
-│   │   └── bashparser
-│   ├── internal
-│   │   ├── bashparser
-│   │   ├── cue_validator
-│   │   └── filewriter
-│   ├── pkg
-│   └── README.md
+│   ├── cmd
+│   │   ├── bashparser
+│   │   └── cuevalidator
+│   ├── internal
+│   │   ├── bashparser
+│   │   ├── cuevalidator
+│   │   └── filewriter
+│   └── README.md
 ├── go.mod
 ├── go.sum
 └── <other files in the root repository ...>
@@ -36,32 +36,39 @@ macaron
 
 ### Run the application code directly using Go
 To run an application (in the `cmd` dir), from the root dir of this repository:
-```
+```bash
 go run ./golang/cmd/<app_name>/<app_name>.go [ARGS]
 ```
 
-For example, to run the [actionparser](./cmd/actionparser/README.md) application:
-```
-go run ./golang/cmd/actionparser/actionparser.go -file ./golang/internal/actionparser/resources/valid.yaml
-```
 ### Run the Go tests
 
 To run all the tests, from the root dir of this repository:
+```bash
+make test
 ```
+
+To just run the Go tests:
+```bash
 go test ./golang/...
 ```
 
 To run the tests and record the code coverage, from the root dir of this repository:
-```
+```bash
 go test -cover ./golang/...
 ```
 
 ### Build the executable
 To build an executable of an application in this module:
+
+```bash
+make setup-go
 ```
+
+Alternatively you can run:
+```bash
 go build ./golang/cmd/<app_name>/<app_name>.go
 ```
 This will generate an executable `app_name` in the current directory. We can also change the path of the output executable by using:
-```
+```bash
 go build -o <output_path> ./golang/cmd/<app_name>/<app_name>.go
 ```
@@ -0,0 +1,45 @@
+# CUE Validator
+
+This Go module validates CUE provenance against a policy and extracts analysis targets using [CUE](https://cuelang.org/).
+
+### Run the CUE Validator directly
+
+To run the validator, from the root directory of this repository:
+
+```bash
+go run ./golang/cmd/cuevalidator/cuevalidator.go -h
+```
+
+
+#### Commands:
+
+- `-target-policy <cue-policy-path>`: The CUE policy path from which to extract the target.
+- `-validate-policy <cue-policy-path>`: The CUE policy path to validate the provenance against.
+- `-validate-provenance <provenance-path>`: The provenance payload path to validate.
+
+### Examples:
+
+1. **Extract Target from Policy**  
+   To extract the target from a CUE policy, use the following command:
+
+```bash
+go run ./golang/cmd/cuevalidator/cuevalidator.go -target-policy <path-to-cue-policy>
+```
+
+Output:
+
+```bash
+pkg:maven/io.micronaut/micronaut-core
+```
+
+2. **Validate Provenance Against Policy**  
+To validate provenance against a policy, use the following command:
+
+```bash
+go run ./golang/cmd/cuevalidator/cuevalidator.go -validate-policy <path-to-cue-policy> -validate-provenance <path-to-provenance-payload>
+```
+
+### Error Handling:
+
+- If required arguments are missing or invalid, the program will print an error message to `stderr` and exit with a non-zero status code.
+- If the validation fails, an error message will be printed, and the program will exit with an appropriate error code.
@@ -0,0 +1,110 @@
+/* Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. */
+/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/oracle/macaron/golang/internal/cuevalidator"
+)
+
+// Utility function to handle file reading and errors.
+func readFile(path string) ([]byte, error) {
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read file '%s': %w", path, err)
+	}
+	return content, nil
+}
+
+// Handle validation errors.
+func handleError(message string, code int) {
+	fmt.Fprintln(os.Stderr, message)
+	os.Exit(code)
+}
+
+// Main entry point for the CUE Validator tool.
+// This function processes command-line flags to execute one of the following commands:
+// - Extract a target from a CUE policy (using -target-policy flag).
+// - Validate provenance against a CUE policy (using -validate-policy and -validate-provenance flags).
+//
+// Params:
+//
+//	-target-policy <CUE_POLICY>: the CUE policy to extract the target from.
+//	-validate-policy <CUE_POLICY>: the CUE policy to validate the provenance against.
+//	-validate-provenance <PROVENANCE_DATA>: the provenance data to validate.
+//
+// Return code:
+//
+//	0 - If the target is successfully extracted or the provenance validation finishes with no errors.
+//	1 - If there is a missing required argument or invalid command usage.
+//	2 - If an error occurs during validation (e.g., invalid provenance or policy).
+//
+// Usage:
+//
+//  1. To extract the target from a policy:
+//     go run cuevalidator.go -target-policy <CUE_POLICY>
+//     Output: The extracted target will be printed to stdout.
+//
+//  2. To validate provenance against a policy:
+//     go run cuevalidator.go -validate-policy <CUE_POLICY> -validate-provenance <PROVENANCE_DATA>
+//     Output: A success or failure message will be printed based on the validation result.
+func main() {
+	// Define flags for the target command.
+	targetPolicy := flag.String("target-policy", "", "Path to CUE policy to extract the target from.")
+
+	// Define flags for the validate command
+	validatePolicy := flag.String("validate-policy", "", "Path to CUE policy to validate against.")
+	validateProvenance := flag.String("validate-provenance", "", "Path to provenance data to validate.")
+
+	// Parse flags
+	flag.Parse()
+
+	// Handle 'target-policy' command.
+	if *targetPolicy != "" {
+		policyContent, err := readFile(*targetPolicy)
+		if err != nil {
+			handleError(err.Error(), 2)
+		}
+
+		result := cuevalidator.Target(string(policyContent))
+		if result == "" {
+			handleError("Error: Unable to extract target from policy.", 2)
+		}
+
+		fmt.Print(result)
+		return
+	}
+
+	// Handle 'validate' command.
+	if *validatePolicy != "" && *validateProvenance != "" {
+		policyContent, err := readFile(*validatePolicy)
+		if err != nil {
+			handleError(err.Error(), 2)
+		}
+
+		provenanceContent, err := readFile(*validateProvenance)
+		if err != nil {
+			handleError(err.Error(), 2)
+		}
+
+		result := cuevalidator.Validate(string(policyContent), string(provenanceContent))
+		switch result {
+		case 1:
+			fmt.Print("True")
+			os.Exit(0)
+		case 0:
+			fmt.Print("False")
+			os.Exit(0)
+		default:
+			handleError("Error: Validation encountered an issue.", 2)
+		}
+		return
+	}
+
+	// If no valid command was given, print usage message
+	handleError("Error: Missing required arguments for target or validate command.", 1)
+}