diff --git a/docs/source/index.rst b/docs/source/index.rst index 87d1ea5c5..b1a531414 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -74,6 +74,9 @@ the requirements that are currently supported by Macaron. * - 3 - **Build as code** - If a trusted builder is not present, this requirement determines that the build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system. - Identify and validate the CI service(s) used to build and deploy/publish an artifact. + * - 3 + - **Infer artifact publish pipeline** - When a provenance is not available, checks whether a CI workflow run has automatically published the artifact. + - Identify a workflow run that has triggered the deploy step determined by the ``Build as code`` check. * - 3 - **Provenance Level three** - Check whether the target has SLSA provenance level 3. - Use the `slsa-verifier `_ to attest to the subjects in the SLSA provenance that accompanies an artifact. diff --git a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst index c059b397b..7d47e7260 100644 --- a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst +++ b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst @@ -49,6 +49,14 @@ macaron.slsa\_analyzer.checks.check\_result module :undoc-members: :show-inheritance: +macaron.slsa\_analyzer.checks.infer\_artifact\_pipeline\_check module +--------------------------------------------------------------------- + +.. automodule:: macaron.slsa_analyzer.checks.infer_artifact_pipeline_check + :members: + :undoc-members: + :show-inheritance: + macaron.slsa\_analyzer.checks.provenance\_available\_check module ----------------------------------------------------------------- diff --git a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.package_registry.rst b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.package_registry.rst index 86b11540b..ec97303d1 100644 --- a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.package_registry.rst +++ b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.package_registry.rst @@ -17,6 +17,14 @@ macaron.slsa\_analyzer.package\_registry.jfrog\_maven\_registry module :undoc-members: :show-inheritance: +macaron.slsa\_analyzer.package\_registry.maven\_central\_registry module +------------------------------------------------------------------------ + +.. automodule:: macaron.slsa_analyzer.package_registry.maven_central_registry + :members: + :undoc-members: + :show-inheritance: + macaron.slsa\_analyzer.package\_registry.package\_registry module ----------------------------------------------------------------- diff --git a/docs/source/pages/supported_technologies/index.rst b/docs/source/pages/supported_technologies/index.rst index f8c0a635b..fd263bd0a 100644 --- a/docs/source/pages/supported_technologies/index.rst +++ b/docs/source/pages/supported_technologies/index.rst @@ -41,6 +41,9 @@ Package Registries * - `JFrog Artifactory `_ - Only projects built with Gradle and publishing to a JFrog Artifactory repo following `Maven layout `_ - :doc:`page ` + * - `Maven Central Artifactory `_ + - Only projects built with Gradle or Maven and published to the Maven Central Artifactory. + - :doc:`page ` ----------- Provenances @@ -70,3 +73,4 @@ See also jfrog witness + maven_central diff --git a/docs/source/pages/supported_technologies/maven_central.rst b/docs/source/pages/supported_technologies/maven_central.rst new file mode 100644 index 000000000..4b3f0f5d6 --- /dev/null +++ b/docs/source/pages/supported_technologies/maven_central.rst @@ -0,0 +1,6 @@ +.. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +============= +Maven Central +============= diff --git a/scripts/dev_scripts/integration_tests.sh b/scripts/dev_scripts/integration_tests.sh index 11fdb61dc..78cd2689c 100755 --- a/scripts/dev_scripts/integration_tests.sh +++ b/scripts/dev_scripts/integration_tests.sh @@ -267,6 +267,16 @@ python $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail # python $COMPARE_DEPS $DEP_RESULT $DEP_EXPECTED || log_fail +echo -e "\n----------------------------------------------------------------------------------" +echo "google/guava: Analyzing with PURL and repository path without dependency resolution." +echo -e "----------------------------------------------------------------------------------\n" +JSON_EXPECTED=$WORKSPACE/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json +JSON_RESULT=$WORKSPACE/output/reports/maven/com_google_guava/guava/guava.json +$RUN_MACARON analyze -purl pkg:maven/com.google.guava/guava@32.1.2-jre?type=jar -rp https://github.com/google/guava -b master -d d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4 --skip-deps || log_fail + +python $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail + + # Running Macaron using local paths. echo -e "\n==================================================================================" echo "Run integration tests with local paths for apache/maven..." diff --git a/src/macaron/config/defaults.ini b/src/macaron/config/defaults.ini index 7170394e5..5710a19b8 100644 --- a/src/macaron/config/defaults.ini +++ b/src/macaron/config/defaults.ini @@ -375,10 +375,20 @@ predicate_types = https://witness.testifysec.com/attestation-collection/v0.1 artifact_extensions = jar - # Package registries. +[package_registry] +# The allowed time range (in seconds) from a deploy workflow run start time to publish time. +publish_time_range = 3600 + # [package_registry.jfrog.maven] # In this example, the Maven repo can be accessed at `https://internal.registry.org/repo-name`. # hostname = internal.registry.org # repo = repo-name # download_timeout = 120 + +[package_registry.maven_central] +# Maven Central host name. +hostname = search.maven.org +# The search REST API. See https://central.sonatype.org/search/rest-api-guide/ +search_endpoint = solrsearch/select +request_timeout = 20 diff --git a/src/macaron/dependency_analyzer/cyclonedx.py b/src/macaron/dependency_analyzer/cyclonedx.py index 386624370..61d2e924f 100644 --- a/src/macaron/dependency_analyzer/cyclonedx.py +++ b/src/macaron/dependency_analyzer/cyclonedx.py @@ -174,6 +174,7 @@ def convert_components_to_artifacts( version=component.get("version") or "", group=component.get("group") or "", name=component.get("name") or "", + purl=component.get("purl") or "", url="", note="", available=SCMStatus.AVAILABLE, diff --git a/src/macaron/dependency_analyzer/dependency_resolver.py b/src/macaron/dependency_analyzer/dependency_resolver.py index 9fa742eb0..1a16d3f49 100644 --- a/src/macaron/dependency_analyzer/dependency_resolver.py +++ b/src/macaron/dependency_analyzer/dependency_resolver.py @@ -34,6 +34,7 @@ class DependencyInfo(TypedDict): version: str group: str name: str + purl: str url: str note: str available: SCMStatus @@ -262,6 +263,7 @@ def merge_configs( Configuration( { "id": key, + "purl": value.get("purl"), "path": value.get("url"), "branch": "", "digest": "", diff --git a/src/macaron/errors.py b/src/macaron/errors.py index 26ee534b4..7847c1b38 100644 --- a/src/macaron/errors.py +++ b/src/macaron/errors.py @@ -50,3 +50,7 @@ class InvalidPURLError(MacaronError): class DuplicateError(MacaronError): """The class for errors for duplicated data.""" + + +class InvalidHTTPResponseError(MacaronError): + """Happens when the HTTP response is invalid or unexpected.""" diff --git a/src/macaron/parsers/bashparser.py b/src/macaron/parsers/bashparser.py index fe7266799..ce6acc194 100644 --- a/src/macaron/parsers/bashparser.py +++ b/src/macaron/parsers/bashparser.py @@ -33,6 +33,10 @@ class BashCommands(TypedDict): """CI service type.""" commands: list[list[str]] """Parsed bash commands.""" + job_name: str + """The name of the job where commands were called.""" + step_name: str + """The name of the step where commands were called.""" def parse_file(file_path: str, macaron_path: str = "") -> dict: @@ -119,6 +123,8 @@ def extract_bash_from_ci( recursive: bool = False, repo_path: str = "", working_dir: str = "", + job_name: str = "", + step_name: str = "", ) -> Iterable[BashCommands]: """Parse the bash scripts triggered from CI. @@ -140,6 +146,10 @@ def extract_bash_from_ci( working_dir : str The working directory from which the bash script has run. Empty value is considered as the root of the repo. + job_name: str + The name of the job where commands were called. + step_name: str + The name of the step where commands were called. Yields ------ @@ -152,7 +162,14 @@ def extract_bash_from_ci( parsed_parent = parse(bash_content) caller_commands = parsed_parent.get("commands", []) if caller_commands: - yield BashCommands(caller_path=ci_file, CI_path=ci_file, CI_type=ci_type, commands=caller_commands) + yield BashCommands( + caller_path=ci_file, + CI_path=ci_file, + CI_type=ci_type, + commands=caller_commands, + job_name=job_name, + step_name=step_name, + ) # Parse the bash script files called from the current script. if recursive and repo_path: @@ -170,4 +187,6 @@ def extract_bash_from_ci( CI_path=ci_file, CI_type=ci_type, commands=callee_commands, + job_name=job_name, + step_name=step_name, ) diff --git a/src/macaron/slsa_analyzer/checks/build_as_code_check.py b/src/macaron/slsa_analyzer/checks/build_as_code_check.py index e9692ee7b..959c9974e 100644 --- a/src/macaron/slsa_analyzer/checks/build_as_code_check.py +++ b/src/macaron/slsa_analyzer/checks/build_as_code_check.py @@ -188,7 +188,7 @@ def _check_build_tool( ctx.component.repository.branch_name, ctx.component.repository.commit_sha, ctx.component.repository.commit_date, - os.path.basename(callee.caller_path), + callee.caller_path, ) # TODO: include in the justification multiple cases of external action usage @@ -253,7 +253,7 @@ def _check_build_tool( ctx.component.repository.branch_name, ctx.component.repository.commit_sha, ctx.component.repository.commit_date, - os.path.basename(bash_cmd["CI_path"]), + bash_cmd["CI_path"], ) justification_cmd: list[str | dict[str, str]] = [ @@ -283,6 +283,8 @@ def _check_build_tool( "sha1" ] = ctx.component.repository.commit_sha predicate["invocation"]["configSource"]["entryPoint"] = trigger_link + predicate["buildConfig"]["jobID"] = bash_cmd["job_name"] + predicate["buildConfig"]["stepID"] = bash_cmd["step_name"] predicate["metadata"]["buildInvocationId"] = html_url check_result["result_tables"].append( BuildAsCodeFacts( diff --git a/src/macaron/slsa_analyzer/checks/infer_artifact_pipeline_check.py b/src/macaron/slsa_analyzer/checks/infer_artifact_pipeline_check.py new file mode 100644 index 000000000..4a30e6271 --- /dev/null +++ b/src/macaron/slsa_analyzer/checks/infer_artifact_pipeline_check.py @@ -0,0 +1,209 @@ +# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""This module contains the InferArtifactPipelineCheck class to check if an artifact is published from a pipeline automatically.""" + +import logging + +from sqlalchemy import ForeignKey +from sqlalchemy.orm import Mapped, mapped_column +from sqlalchemy.sql.sqltypes import String + +from macaron.config.defaults import defaults +from macaron.database.table_definitions import CheckFacts +from macaron.errors import InvalidHTTPResponseError +from macaron.slsa_analyzer.analyze_context import AnalyzeContext +from macaron.slsa_analyzer.build_tool.gradle import Gradle +from macaron.slsa_analyzer.build_tool.maven import Maven +from macaron.slsa_analyzer.checks.base_check import BaseCheck +from macaron.slsa_analyzer.checks.check_result import CheckResult, CheckResultType +from macaron.slsa_analyzer.ci_service.base_ci_service import NoneCIService +from macaron.slsa_analyzer.package_registry.maven_central_registry import MavenCentralRegistry +from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload +from macaron.slsa_analyzer.registry import registry +from macaron.slsa_analyzer.slsa_req import ReqName +from macaron.slsa_analyzer.specs.package_registry_spec import PackageRegistryInfo + +logger: logging.Logger = logging.getLogger(__name__) + + +class InferArtifactPipelineFacts(CheckFacts): + """The ORM mapping for justifications of the infer_artifact_pipeline check.""" + + __tablename__ = "_infer_artifact_pipeline_check" + + #: The primary key. + id: Mapped[int] = mapped_column(ForeignKey("_check_facts.id"), primary_key=True) # noqa: A003 + + #: The workflow job that triggered deploy. + deploy_job: Mapped[str] = mapped_column(String, nullable=False) + + #: The workflow step that triggered deploy. + deploy_step: Mapped[str] = mapped_column(String, nullable=False) + + #: The workflow run URL. + run_url: Mapped[str] = mapped_column(String, nullable=False) + + __mapper_args__ = { + "polymorphic_identity": "_infer_artifact_pipeline_check", + } + + +class InferArtifactPipelineCheck(BaseCheck): + """This check detects a potential pipeline from which an artifact is published. + + When a verifiable provenance is found for an artifact, the result of this check can be discarded. + Otherwise, we check whether a CI workflow run has automatically published the artifact. + + We use several heuristics in this check: + + * The workflow run should have started before the artifact is published. + * The workflow step that calls a deploy command should have run successfully. + * The workflow step that calls a deploy command should have started before the artifact is published. + + Note: due to a limitation, we cannot specify the provenance checks as parents of this + check because a check cannot have more than one parent in the current design. It would + be good to skip this with a success result if the relevant provenance checks pass in the future. + """ + + def __init__(self) -> None: + """Initialize the InferArtifactPipeline instance.""" + check_id = "mcn_infer_artifact_pipeline_1" + description = "Detects potential pipelines from which an artifact is published." + depends_on = [("mcn_build_as_code_1", CheckResultType.PASSED)] + eval_reqs = [ReqName.BUILD_AS_CODE] + super().__init__( + check_id=check_id, + description=description, + depends_on=depends_on, + eval_reqs=eval_reqs, + result_on_skip=CheckResultType.FAILED, + ) + + def run_check(self, ctx: AnalyzeContext, check_result: CheckResult) -> CheckResultType: + """Implement the check in this method. + + Parameters + ---------- + ctx : AnalyzeContext + The object containing processed data for the target repo. + check_result : CheckResult + The object containing result data of a check. + + Returns + ------- + CheckResultType + The result type of the check (e.g. PASSED). + """ + # This check requires the build_as_code check to pass and a repository to be available. + if not ctx.component.repository: + check_result["justification"] = [ + "Unable to find a potential workflow run for the artifact because no repository is available." + ] + return CheckResultType.FAILED + + # Look for the artifact in the corresponding registry and find the publish timestamp. + artifact_published_date = None + package_registry_info_entries = ctx.dynamic_data["package_registries"] + for package_registry_info_entry in package_registry_info_entries: + match package_registry_info_entry: + # TODO: add package registries for other ecosystems. + case PackageRegistryInfo( + build_tool=Gradle() | Maven(), + package_registry=MavenCentralRegistry() as mvn_central_registry, + ): + group_id = ctx.component.namespace + artifact_id = ctx.component.name + version = ctx.component.version + try: + artifact_published_date = mvn_central_registry.find_publish_timestamp( + group_id, artifact_id, version + ) + except InvalidHTTPResponseError as error: + logger.debug(error) + + # This check requires the artifact publish artifact to proceed. If the timestamp is not + # found, we return with a fail result. + if not artifact_published_date: + check_result["justification"] = ["Unable to find a publishing timestamp for the artifact."] + return CheckResultType.FAILED + + # Obtain the metadata inferred by the build_as_code check, which is stored in the `provenances` + # attribute of the corresponding CI service. + ci_services = ctx.dynamic_data["ci_services"] + for ci_info in ci_services: + ci_service = ci_info["service"] + # Checking if a CI service is discovered for this repo. + if isinstance(ci_service, NoneCIService): + continue + + if ctx.dynamic_data["is_inferred_prov"] and ci_info["provenances"]: + for inferred_prov in ci_info["provenances"]: + # Skip processing the inferred provenance if it does not conform with the in-toto v0.1 specification. + if not isinstance(inferred_prov, InTotoV01Payload): + continue + + # This check requires the job and step calling the deploy command. + # Validate the content of inferred_prov. + predicate = inferred_prov.statement["predicate"] + if ( + not predicate + or not isinstance(predicate["invocation"], dict) + or "configSource" not in predicate["invocation"] + or not isinstance(predicate["invocation"]["configSource"], dict) + or "entryPoint" not in predicate["invocation"]["configSource"] + or not isinstance(predicate["invocation"]["configSource"]["entryPoint"], str) + ): + continue + if ( + not isinstance(predicate["buildConfig"], dict) + or "jobID" not in predicate["buildConfig"] + or not isinstance(predicate["buildConfig"]["jobID"], str) + or "stepID" not in predicate["buildConfig"] + or not isinstance(predicate["buildConfig"]["stepID"], str) + ): + continue + try: + publish_time_range = defaults.getint("package_registries", "publish_time_range", fallback=3600) + except ValueError as error: + logger.error( + "Configuration error: publish_time_range in section of package_registries is not a valid integer %s.", + error, + ) + check_result["justification"] = [ + "Unable to find a potential workflow run for the artifact due to configuration issues." + ] + return CheckResultType.FAILED + + # Find the potential workflow runs. + if html_urls := ci_service.workflow_run_in_date_time_range( + repo_full_name=ctx.component.repository.full_name, + workflow=predicate["invocation"]["configSource"]["entryPoint"], + date_time=artifact_published_date, + step_name=predicate["buildConfig"]["stepID"], + time_range=publish_time_range, + ): + for html_url in html_urls: + justification: list[str | dict[str, str]] = [ + { + f"The artifact is potentially published by workflow" + f" job '{predicate['buildConfig']['jobID']}' at" + f" step '{predicate['buildConfig']['stepID']}' " + "triggered by": html_url, + }, + ] + check_result["justification"].extend(justification) + check_result["result_tables"].append( + InferArtifactPipelineFacts( + deploy_job=predicate["buildConfig"]["jobID"], + deploy_step=predicate["buildConfig"]["stepID"], + run_url=html_url, + ) + ) + return CheckResultType.PASSED + + check_result["justification"] = ["Unable to find a potential workflow run for the artifact."] + return CheckResultType.FAILED + + +registry.register(InferArtifactPipelineCheck()) diff --git a/src/macaron/slsa_analyzer/ci_service/base_ci_service.py b/src/macaron/slsa_analyzer/ci_service/base_ci_service.py index 6106dafb3..15f3d0799 100644 --- a/src/macaron/slsa_analyzer/ci_service/base_ci_service.py +++ b/src/macaron/slsa_analyzer/ci_service/base_ci_service.py @@ -7,6 +7,7 @@ import os from abc import abstractmethod from collections.abc import Iterable +from datetime import datetime from macaron.code_analyzer.call_graph import BaseNode, CallGraph from macaron.parsers.bashparser import BashCommands @@ -195,6 +196,43 @@ def has_latest_run_passed( """ raise NotImplementedError + # pylint: disable=unused-argument + def workflow_run_in_date_time_range( + self, + repo_full_name: str, + workflow: str, + date_time: datetime, + step_name: str, + time_range: int = 0, + ) -> set[str]: + """Check if the repository has a workflow run started before the date_time timestamp within the time_range. + + - This method queries the list of workflow runs using the GitHub API for the provided repository full name. + - It will filter out the runs that are not triggered by the given workflow. + - It will only accept the runs that from `date_time - time_range` to `date_time`. + - If a `step_name` is provided, checks that it has started before the `date_time` and has succeeded. + + Parameters + ---------- + repo_full_name : str + The target repo's full name. + workflow : str + The workflow URL. + date_time: datetime + The datetime object to query. + step_name: str + The step in the GitHub Action workflow that needs to be checked. + time_range: int + The date-time range in seconds. The default value is 0. + For example a 30 seconds range for 2022-11-05T20:30 is 2022-11-05T20:15..2022-11-05T20:45. + + Returns + ------- + set[str] + The set of URLs found for the workflow within the time range. + """ + return set() + class NoneCIService(BaseCIService): """This class can be used to initialize an empty CI service.""" diff --git a/src/macaron/slsa_analyzer/ci_service/github_actions.py b/src/macaron/slsa_analyzer/ci_service/github_actions.py index 011a273a8..4e63a4ef2 100644 --- a/src/macaron/slsa_analyzer/ci_service/github_actions.py +++ b/src/macaron/slsa_analyzer/ci_service/github_actions.py @@ -7,7 +7,7 @@ import logging import os from collections.abc import Iterable -from datetime import datetime, timezone +from datetime import datetime, timedelta, timezone from enum import Enum from macaron.code_analyzer.call_graph import BaseNode, CallGraph @@ -289,6 +289,8 @@ def extract_all_bash(self, callgraph: CallGraph, macaron_path: str = "") -> Iter recursive=True, repo_path=callgraph.repo_path, working_dir=step["Exec"]["WorkingDirectory"] or "", + job_name=job.get("ID")["Value"] if job.get("ID") else "", + step_name=step.get("Name")["Value"] if step.get("Name") else "", ) def has_latest_run_passed( @@ -410,6 +412,117 @@ def has_latest_run_passed( return "" + def workflow_run_in_date_time_range( + self, + repo_full_name: str, + workflow: str, + date_time: datetime, + step_name: str, + time_range: int = 0, + ) -> set[str]: + """Check if the repository has a workflow run started before the date_time timestamp within the time_range. + + - This method queries the list of workflow runs using the GitHub API for the provided repository full name. + - It will filter out the runs that are not triggered by the given workflow. + - It will only accept the runs that from `date_time - time_range` to `date_time`. + - If a `step_name` is provided, checks that it has started before the `date_time` and has succeeded. + + Parameters + ---------- + repo_full_name : str + The target repo's full name. + workflow : str + The workflow URL. + date_time: datetime + The datetime object to query. + step_name: str + The step in the GitHub Action workflow that needs to be checked. + time_range: int + The date-time range in seconds. The default value is 0. + For example a 30 seconds range for 2022-11-05T20:30 is 2022-11-05T20:15..2022-11-05T20:45. + + Returns + ------- + set[str] + The set of URLs found for the workflow within the time range. + """ + logger.debug( + "Getting the latest workflow run of %s at %s within time range %s", + workflow, + str(date_time), + str(time_range), + ) + + html_urls: set[str] = set() + try: + datetime_from = date_time - timedelta(seconds=time_range) + except (OverflowError, OSError, TypeError) as error: + logger.debug(error) + return html_urls + + # Perform the search. + logger.debug("Search for the workflow runs within the range.") + try: + run_data = self.api_client.get_workflow_run_for_date_time_range( + repo_full_name, f"{datetime_from.isoformat()}..{date_time.isoformat()}" + ) + except ValueError as error: + logger.debug(error) + return html_urls + + if not run_data: + logger.debug("Unable to find any run data for the workflow %s", workflow) + return html_urls + + logger.debug("Checking workflow run of %s.", workflow) + try: + # iterate through the responses in reversed order to add the run + # closest to the `date_time - time_range` timestamp first. + for item in reversed(run_data["workflow_runs"]): + # The workflow parameter contains the URL to the workflow. + # So we need to check that item["path"] is a substring of it. + if item["path"] in workflow: + run_jobs = self.api_client.get_workflow_run_jobs(repo_full_name, item["id"]) + if not run_jobs: + continue + + # Find the matching step and check its `conclusion` and `started_at` attributes. + for job in run_jobs["jobs"]: + for step in job["steps"]: + if step["name"] != step_name or step["conclusion"] != "success": + continue + try: + if datetime.fromisoformat(step["started_at"]) < date_time: + run_id: str = item["id"] + html_url: str = item["html_url"] + logger.info( + "The workflow run status of %s (id = %s, url = %s, step = %s) is %s.", + workflow, + run_id, + html_url, + step["name"], + step["conclusion"], + ) + html_urls.add(html_url) + else: + logger.debug( + "The workflow start run %s happened after %s with status %s.", + datetime.fromisoformat(step["started_at"]), + date_time, + step["conclusion"], + ) + # Handle errors for calls to `fromisoformat()` and the time comparison. + except (ValueError, OverflowError, OSError, TypeError) as error: + logger.debug(error) + except KeyError as key_error: + logger.debug( + "Unable to read data of %s from the GitHub API result. Error: %s", + workflow, + str(key_error), + ) + + return html_urls + def search_for_workflow_run( self, workflow_id: str, diff --git a/src/macaron/slsa_analyzer/git_service/api_client.py b/src/macaron/slsa_analyzer/git_service/api_client.py index de90498b4..5ac0f0cd4 100644 --- a/src/macaron/slsa_analyzer/git_service/api_client.py +++ b/src/macaron/slsa_analyzer/git_service/api_client.py @@ -264,6 +264,79 @@ def get_workflow_runs(self, full_name: str, branch_name: str, created_after: str return response_data + def get_workflow_run_jobs(self, full_name: str, run_id: str) -> dict: + """Query the GitHub REST API for the workflow run jobs. + + The url would be in the following form: + ``https://api.github/com/repos/{full_name}/actions/runs//jobs`` + + Parameters + ---------- + full_name : str + The full name of the target repo in the form ``owner/repo``. + run_id : str + The target workflow run ID. + + Returns + ------- + dict + The json query result or an empty dict if failed. + + Examples + -------- + The following call to this method will perform a query to + ``https://api.github/com/repos/{full_name}/ + actions/runs//jobs`` + + >>> gh_client.get_workflow_run_jobs( + full_name="owner/repo", + run_id= + ) + """ + logger.debug("Query GitHub to get run jobs for %s with run ID %s", full_name, run_id) + + url = f"{GhAPIClient._REPO_END_POINT}/{full_name}/actions/runs/{run_id}/jobs" + response_data = send_get_http(url, self.headers) + + return response_data + + def get_workflow_run_for_date_time_range(self, full_name: str, datetime_range: str) -> dict: + """Query the GitHub REST API for the workflow run within a datetime range. + + The url would be in the following form: + ``https://api.github.com/repos/{full_name}/actions/runs?create=datetime-range`` + + Parameters + ---------- + full_name : str + The full name of the target repo in the form ``owner/repo``. + datetime_range : str + The datetime range to query. + + Returns + ------- + dict + The json query result or an empty dict if failed. + + Examples + -------- + The following call to this method will perform a query to + ``https://api.github/com/repos/owner/repo/actions/runs?created=2022-11-05T20:38:40..2022-11-05T20:38:58`` + + >>> e.g., gh_client.get_workflow_run_for_date_time_range( + full_name="owner/repo", + created=2022-11-05T20:38:40..2022-11-05T20:38:58 + ) + """ + logger.debug("Query GitHub to get run details for %s at %s", full_name, datetime_range) + query_params = {"created": datetime_range} + + encoded_params = construct_query(query_params) + url = f"{GhAPIClient._REPO_END_POINT}/{full_name}/actions/runs?" + encoded_params + response_data = send_get_http(url, self.headers) + + return response_data + def get_commit_data_from_hash(self, full_name: str, commit_hash: str) -> dict: """Query the GitHub API for the data of a commit using the hash for that commit. diff --git a/src/macaron/slsa_analyzer/package_registry/__init__.py b/src/macaron/slsa_analyzer/package_registry/__init__.py index 14dedf1a1..1c073063a 100644 --- a/src/macaron/slsa_analyzer/package_registry/__init__.py +++ b/src/macaron/slsa_analyzer/package_registry/__init__.py @@ -4,6 +4,7 @@ """This module defines the package registries.""" from macaron.slsa_analyzer.package_registry.jfrog_maven_registry import JFrogMavenRegistry +from macaron.slsa_analyzer.package_registry.maven_central_registry import MavenCentralRegistry from macaron.slsa_analyzer.package_registry.package_registry import PackageRegistry -PACKAGE_REGISTRIES: list[PackageRegistry] = [JFrogMavenRegistry()] +PACKAGE_REGISTRIES: list[PackageRegistry] = [JFrogMavenRegistry(), MavenCentralRegistry()] diff --git a/src/macaron/slsa_analyzer/package_registry/maven_central_registry.py b/src/macaron/slsa_analyzer/package_registry/maven_central_registry.py new file mode 100644 index 000000000..cf550505a --- /dev/null +++ b/src/macaron/slsa_analyzer/package_registry/maven_central_registry.py @@ -0,0 +1,181 @@ +# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""The module provides abstractions for the Maven Central package registry.""" + +import logging +from datetime import datetime, timezone +from urllib.parse import SplitResult, urlunsplit + +import requests + +from macaron.config.defaults import defaults +from macaron.errors import ConfigurationError, InvalidHTTPResponseError +from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool +from macaron.slsa_analyzer.build_tool.gradle import Gradle +from macaron.slsa_analyzer.build_tool.maven import Maven +from macaron.slsa_analyzer.package_registry.package_registry import PackageRegistry +from macaron.util import send_get_http_raw + +logger: logging.Logger = logging.getLogger(__name__) + + +class MavenCentralRegistry(PackageRegistry): + """This class implements a Maven Central package registry.""" + + def __init__( + self, + hostname: str | None = None, + search_endpoint: str | None = None, + request_timeout: int | None = None, + ) -> None: + """ + Initialize a Maven Central Registry instance. + + Parameters + ---------- + hostname : str + The hostname of the JFrog instance. + search_endpoint : str | None + The search REST API to find artifacts. + request_timeout : int | None + The timeout (in seconds) for requests made to the package registry. + """ + self.hostname = hostname or "" + self.search_endpoint = search_endpoint or "" + self.request_timeout = request_timeout or 10 + super().__init__("Maven Central Registry") + + def load_defaults(self) -> None: + """Load the .ini configuration for the current package registry. + + Raises + ------ + ConfigurationError + If there is a schema violation in the ``maven_central`` section. + """ + section_name = "package_registry.maven_central" + if not defaults.has_section(section_name): + return + section = defaults[section_name] + + self.hostname = section.get("hostname") + if not self.hostname: + raise ConfigurationError( + f'The "hostname" key is missing in section [{section_name}] of the .ini configuration file.' + ) + + self.search_endpoint = section.get("search_endpoint") + if not self.search_endpoint: + raise ConfigurationError( + f'The "search_endpoint" key is missing in section [{section_name}] of the .ini configuration file.' + ) + + try: + self.request_timeout = section.getint("request_timeout", fallback=10) + except ValueError as error: + raise ConfigurationError( + f'The "request_timeout" value in section [{section_name}]' + f"of the .ini configuration file is invalid: {error}", + ) from error + + def is_detected(self, build_tool: BaseBuildTool) -> bool: + """Detect if artifacts of the repo under analysis can possibly be published to this package registry. + + The detection here is based on the repo's detected build tools. + If the package registry is compatible with the given build tools, it can be a + possible place where the artifacts produced from the repo are published. + + ``MavenCentralRegistry`` is compatible with Maven and Gradle. + + Parameters + ---------- + build_tool : BaseBuildTool + A detected build tool of the repository under analysis. + + Returns + ------- + bool + ``True`` if the repo under analysis can be published to this package registry, + based on the given build tool. + """ + compatible_build_tool_classes = [Maven, Gradle] + for build_tool_class in compatible_build_tool_classes: + if isinstance(build_tool, build_tool_class): + return True + return False + + def find_publish_timestamp(self, group_id: str, artifact_id: str, version: str | None = None) -> datetime: + """Make a search request to Maven Central to find the publishing timestamp of an artifact. + + If version is not provided, the timestamp of the latest version will be returned. + + To see the search API syntax see: https://central.sonatype.org/search/rest-api-guide/ + + Parameters + ---------- + group_id : str + The group id of the artifact. + artifact_id: str + The artifact id of the artifact. + version: str | None + The version of the artifact. + + Returns + ------- + datetime + The artifact publish timestamp as a timezone-aware datetime object. + + Raises + ------ + InvalidHTTPResponseError + If the HTTP response is invalid or unexpected. + """ + query_params = [f"q=g:{group_id}", f"a:{artifact_id}"] + if version: + query_params.append(f"v:{version}") + + try: + url = urlunsplit( + SplitResult( + scheme="https", + netloc=self.hostname, + path=f"/{self.search_endpoint}", + query="&".join(["+AND+".join(query_params), "core=gav", "rows=1", "wt=json"]), + fragment="", + ) + ) + except ValueError as error: + raise InvalidHTTPResponseError("Failed to construct the search URL for Maven Central.") from error + + response = send_get_http_raw(url, headers=None, timeout=self.request_timeout) + if response and response.status_code == 200: + try: + res_obj = response.json() + except requests.exceptions.JSONDecodeError as error: + raise InvalidHTTPResponseError(f"Failed to process response from Maven central for {url}.") from error + if not res_obj: + raise InvalidHTTPResponseError(f"Empty response returned by {url} .") + if not res_obj.get("response"): + raise InvalidHTTPResponseError(f"The response returned by {url} misses `response` attribute.") + if not res_obj.get("response").get("docs"): + logger.debug("Failed to find the artifact at Maven central: %s.", url) + raise InvalidHTTPResponseError( + f"The response returned by {url} misses `response.docs` attribute or it is empty." + ) + + # We only consider the first ``docs`` element. + timestamp = res_obj.get("response").get("docs")[0].get("timestamp") + if not timestamp: + raise InvalidHTTPResponseError(f"The timestamp is missing in the response returned by {url}.") + + logger.debug("Found timestamp: %s.", timestamp) + + # The timestamp published in Maven Central is in milliseconds and needs to be divided by 1000. + # Unfortunately, this is not documented in the API docs. + try: + return datetime.fromtimestamp(timestamp / 1000, tz=timezone.utc) + except (OverflowError, OSError) as error: + raise InvalidHTTPResponseError(f"The timestamp returned by {url} is invalid") from error + + raise InvalidHTTPResponseError(f"Invalid response from Maven central for {url}.") diff --git a/src/macaron/slsa_analyzer/specs/inferred_provenance.py b/src/macaron/slsa_analyzer/specs/inferred_provenance.py index 70baf5939..6d5bba573 100644 --- a/src/macaron/slsa_analyzer/specs/inferred_provenance.py +++ b/src/macaron/slsa_analyzer/specs/inferred_provenance.py @@ -8,7 +8,11 @@ class Provenance: - """This class implements the inferred SLSA provenance.""" + """This class implements the inferred SLSA provenance. + + This inferred provenance implementation follows the SLSA v0.2 provenance schema. + See https://slsa.dev/spec/v0.2/provenance + """ def __init__(self) -> None: """Initialize instance.""" @@ -24,7 +28,13 @@ def __init__(self) -> None: "parameters": {}, "environment": {}, }, - "buildConfig": {}, + "buildConfig": { + # This is an arbitrary JSON object with a schema defined by buildType. + # We set these fields for GitHubActionsWorkflow buildType. + # Note that some checks might consume these values. + "jobID": "", + "stepID": "", + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", diff --git a/src/macaron/util.py b/src/macaron/util.py index 2db5a3d56..8058759bb 100644 --- a/src/macaron/util.py +++ b/src/macaron/util.py @@ -56,7 +56,7 @@ def send_get_http(url: str, headers: dict) -> dict: return dict(response.json()) -def send_get_http_raw(url: str, headers: dict) -> Response | None: +def send_get_http_raw(url: str, headers: dict | None = None, timeout: int | None = None) -> Response | None: """Send the GET HTTP request with the given url and headers. This method also handle logging when the API server return error status code. @@ -65,8 +65,10 @@ def send_get_http_raw(url: str, headers: dict) -> Response | None: ---------- url : str The url of the request. - headers : dict + headers : dict | None The dict that describes the headers of the request. + timeout: int | None + The request timeout (optional). Returns ------- @@ -75,7 +77,7 @@ def send_get_http_raw(url: str, headers: dict) -> Response | None: """ logger.debug("GET - %s", url) response = requests.get( - url=url, headers=headers, timeout=defaults.getint("requests", "timeout", fallback=10) + url=url, headers=headers, timeout=timeout or defaults.getint("requests", "timeout", fallback=10) ) # nosec B113:request_without_timeout while response.status_code != 200: logger.error( diff --git a/tests/dependency_analyzer/cyclonedx/__snapshots__/test_cyclonedx.ambr b/tests/dependency_analyzer/cyclonedx/__snapshots__/test_cyclonedx.ambr index eba0d360e..4f08850d9 100644 --- a/tests/dependency_analyzer/cyclonedx/__snapshots__/test_cyclonedx.ambr +++ b/tests/dependency_analyzer/cyclonedx/__snapshots__/test_cyclonedx.ambr @@ -6,6 +6,7 @@ 'group': 'ch.qos.logback.contrib', 'name': 'logback-json-classic', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/ch.qos.logback.contrib/logback-json-classic@0.1.5?type=jar', 'url': '', 'version': '0.1.5', }), @@ -14,6 +15,7 @@ 'group': 'ch.qos.logback.contrib', 'name': 'logback-json-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/ch.qos.logback.contrib/logback-json-core@0.1.5?type=jar', 'url': '', 'version': '0.1.5', }), @@ -22,6 +24,7 @@ 'group': 'ch.qos.logback', 'name': 'logback-classic', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar', 'url': '', 'version': '1.2.11', }), @@ -30,6 +33,7 @@ 'group': 'ch.qos.logback', 'name': 'logback-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar', 'url': '', 'version': '1.2.11', }), @@ -38,6 +42,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-core', 'note': 'https://github.com/amzn/alexa-skills-kit-java is already analyzed.', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-core@2.49.0?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '2.49.0', }), @@ -46,6 +51,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-lambda-support', 'note': '', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-lambda-support@2.49.0?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '2.49.0', }), @@ -54,6 +60,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-model', 'note': 'https://github.com/amzn/alexa-skills-kit-java is already analyzed.', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-model@1.43.0?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '1.43.0', }), @@ -62,6 +69,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-model-runtime', 'note': 'https://github.com/amzn/alexa-skills-kit-java is already analyzed.', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-model-runtime@1.0.5?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '1.0.5', }), @@ -70,6 +78,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-runtime', 'note': 'https://github.com/amzn/alexa-skills-kit-java is already analyzed.', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-runtime@2.49.0?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '2.49.0', }), @@ -78,6 +87,7 @@ 'group': 'com.amazonaws.serverless', 'name': 'aws-serverless-java-container-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.amazonaws.serverless/aws-serverless-java-container-core@1.9.1?type=jar', 'url': '', 'version': '1.9.1', }), @@ -86,6 +96,7 @@ 'group': 'com.amazonaws', 'name': 'aws-java-sdk-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.amazonaws/aws-java-sdk-core@1.12.382?type=jar', 'url': '', 'version': '1.12.382', }), @@ -94,6 +105,7 @@ 'group': 'com.amazonaws', 'name': 'aws-java-sdk-lambda', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.amazonaws/aws-java-sdk-lambda@1.12.382?type=jar', 'url': '', 'version': '1.12.382', }), @@ -102,6 +114,7 @@ 'group': 'com.amazonaws', 'name': 'aws-lambda-java-core', 'note': '', + 'purl': 'pkg:maven/com.amazonaws/aws-lambda-java-core@1.2.2?type=jar', 'url': 'https://github.com/aws/aws-lambda-java-libs', 'version': '1.2.2', }), @@ -110,6 +123,7 @@ 'group': 'com.amazonaws', 'name': 'aws-lambda-java-events', 'note': 'https://github.com/aws/aws-lambda-java-libs is already analyzed.', + 'purl': 'pkg:maven/com.amazonaws/aws-lambda-java-events@3.11.0?type=jar', 'url': 'https://github.com/aws/aws-lambda-java-libs', 'version': '3.11.0', }), @@ -118,6 +132,7 @@ 'group': 'com.amazonaws', 'name': 'jmespath-java', 'note': '', + 'purl': 'pkg:maven/com.amazonaws/jmespath-java@1.12.382?type=jar', 'url': 'https://github.com/aws/aws-sdk-java', 'version': '1.12.382', }), @@ -126,6 +141,7 @@ 'group': 'com.fasterxml.jackson.core', 'name': 'jackson-annotations', 'note': '', + 'purl': 'pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.1?type=jar', 'url': 'https://github.com/FasterXML/jackson-annotations', 'version': '2.14.1', }), @@ -134,6 +150,7 @@ 'group': 'com.fasterxml.jackson.core', 'name': 'jackson-core', 'note': '', + 'purl': 'pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.1?type=jar', 'url': 'https://github.com/FasterXML/jackson-core', 'version': '2.14.1', }), @@ -142,6 +159,7 @@ 'group': 'com.fasterxml.jackson.core', 'name': 'jackson-databind', 'note': '', + 'purl': 'pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.1?type=jar', 'url': 'https://github.com/FasterXML/jackson-databind', 'version': '2.14.1', }), @@ -150,6 +168,7 @@ 'group': 'com.fasterxml.jackson.dataformat', 'name': 'jackson-dataformat-cbor', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor@2.14.1?type=jar', 'url': '', 'version': '2.14.1', }), @@ -158,6 +177,7 @@ 'group': 'com.fasterxml.jackson.datatype', 'name': 'jackson-datatype-jdk8', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.14.1?type=jar', 'url': '', 'version': '2.14.1', }), @@ -166,6 +186,7 @@ 'group': 'com.fasterxml.jackson.datatype', 'name': 'jackson-datatype-jsr310', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.14.1?type=jar', 'url': '', 'version': '2.14.1', }), @@ -174,6 +195,7 @@ 'group': 'com.fizzed', 'name': 'rocker-runtime', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.fizzed/rocker-runtime@1.3.0?type=jar', 'url': '', 'version': '1.3.0', }), @@ -182,6 +204,7 @@ 'group': 'com.googlecode.javaewah', 'name': 'JavaEWAH', 'note': '', + 'purl': 'pkg:maven/com.googlecode.javaewah/JavaEWAH@1.1.7?type=jar', 'url': 'https://github.com/lemire/javaewah', 'version': '1.1.7', }), @@ -190,6 +213,7 @@ 'group': 'com.typesafe', 'name': 'config', 'note': '', + 'purl': 'pkg:maven/com.typesafe/config@1.4.1?type=jar', 'url': 'https://github.com/lightbend/config', 'version': '1.4.1', }), @@ -198,6 +222,7 @@ 'group': 'commons-codec', 'name': 'commons-codec', 'note': '', + 'purl': 'pkg:maven/commons-codec/commons-codec@1.15?type=jar', 'url': 'https://github.com/apache/commons-codec', 'version': '1.15', }), @@ -206,6 +231,7 @@ 'group': 'commons-fileupload', 'name': 'commons-fileupload', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/commons-fileupload/commons-fileupload@1.4?type=jar', 'url': '', 'version': '1.4', }), @@ -214,6 +240,7 @@ 'group': 'commons-io', 'name': 'commons-io', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/commons-io/commons-io@2.11.0?type=jar', 'url': '', 'version': '2.11.0', }), @@ -222,6 +249,7 @@ 'group': 'commons-logging', 'name': 'commons-logging', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/commons-logging/commons-logging@1.2?type=jar', 'url': '', 'version': '1.2', }), @@ -230,6 +258,7 @@ 'group': 'io.github.java-diff-utils', 'name': 'java-diff-utils', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.github.java-diff-utils/java-diff-utils@4.10?type=jar', 'url': '', 'version': '4.10', }), @@ -238,6 +267,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-alexa', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-alexa@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -246,6 +276,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-alexa-httpserver', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-alexa-httpserver@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -254,6 +285,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-bom', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-bom@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -262,6 +294,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-cdk', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-cdk@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -270,6 +303,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-cloudwatch-logging', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-cloudwatch-logging@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -278,6 +312,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-common', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-common@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -286,6 +321,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-distributed-configuration', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-distributed-configuration@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -294,6 +330,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-parameter-store', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-parameter-store@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -302,6 +339,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-sdk-v1', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-sdk-v1@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -310,6 +348,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-sdk-v2', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-sdk-v2@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -318,6 +357,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-secretsmanager', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-secretsmanager@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -326,6 +366,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-service-discovery', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-service-discovery@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -334,6 +375,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-ua', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-ua@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -342,6 +384,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -350,6 +393,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws-alexa', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws-alexa@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -358,6 +402,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws-api-proxy-test', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws-api-proxy-test@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -366,6 +411,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws-custom-runtime', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws-custom-runtime@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -374,6 +420,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws-test', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws-test@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -382,6 +429,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-client-aws', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-client-aws@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -390,6 +438,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -398,6 +447,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite-aws-sdk-v2', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite-aws-sdk-v2@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -406,6 +456,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite-groovy', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite-groovy@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -414,6 +465,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite-http-server-tck-function-aws-api-proxy', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite-http-server-tck-function-aws-api-proxy@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -422,6 +474,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite-kotlin', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite-kotlin@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -430,6 +483,7 @@ 'group': 'io.micronaut.discovery', 'name': 'micronaut-discovery-client', 'note': '', + 'purl': 'pkg:maven/io.micronaut.discovery/micronaut-discovery-client@3.2.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-discovery-client', 'version': '3.2.0', }), @@ -438,6 +492,7 @@ 'group': 'io.micronaut.serde', 'name': 'micronaut-serde-api', 'note': '', + 'purl': 'pkg:maven/io.micronaut.serde/micronaut-serde-api@1.5.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-serialization', 'version': '1.5.0', }), @@ -446,6 +501,7 @@ 'group': 'io.micronaut.serde', 'name': 'micronaut-serde-jackson', 'note': 'https://github.com/micronaut-projects/micronaut-serialization is already analyzed.', + 'purl': 'pkg:maven/io.micronaut.serde/micronaut-serde-jackson@1.5.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-serialization', 'version': '1.5.0', }), @@ -454,6 +510,7 @@ 'group': 'io.micronaut.serde', 'name': 'micronaut-serde-support', 'note': 'https://github.com/micronaut-projects/micronaut-serialization is already analyzed.', + 'purl': 'pkg:maven/io.micronaut.serde/micronaut-serde-support@1.5.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-serialization', 'version': '1.5.0', }), @@ -462,6 +519,7 @@ 'group': 'io.micronaut.starter', 'name': 'micronaut-starter-api', 'note': '', + 'purl': 'pkg:maven/io.micronaut.starter/micronaut-starter-api@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-starter', 'version': '3.8.0', }), @@ -470,6 +528,7 @@ 'group': 'io.micronaut.starter', 'name': 'micronaut-starter-core', 'note': 'https://github.com/micronaut-projects/micronaut-starter is already analyzed.', + 'purl': 'pkg:maven/io.micronaut.starter/micronaut-starter-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-starter', 'version': '3.8.0', }), @@ -478,6 +537,7 @@ 'group': 'io.micronaut.test', 'name': 'micronaut-test-core', 'note': 'https://github.com/micronaut-projects/micronaut-test is already analyzed.', + 'purl': 'pkg:maven/io.micronaut.test/micronaut-test-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-test', 'version': '3.8.0', }), @@ -486,6 +546,7 @@ 'group': 'io.micronaut.test', 'name': 'micronaut-test-junit5', 'note': '', + 'purl': 'pkg:maven/io.micronaut.test/micronaut-test-junit5@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-test', 'version': '3.8.0', }), @@ -494,6 +555,7 @@ 'group': 'io.micronaut.testresources', 'name': 'micronaut-test-resources-build-tools', 'note': '', + 'purl': 'pkg:maven/io.micronaut.testresources/micronaut-test-resources-build-tools@1.2.3?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-test-resources', 'version': '1.2.3', }), @@ -502,6 +564,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-aop', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-aop@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -510,6 +573,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-buffer-netty', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-buffer-netty@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -518,6 +582,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-context', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-context@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -526,6 +591,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-core', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -534,6 +600,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-core-reactive', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-core-reactive@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -542,6 +609,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-function', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-function@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -550,6 +618,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-function-client', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-function-client@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -558,6 +627,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -566,6 +636,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http-client', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http-client@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -574,6 +645,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http-client-core', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http-client-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -582,6 +654,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http-netty', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http-netty@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -590,6 +663,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http-server', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http-server@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -598,6 +672,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-inject', 'note': '', + 'purl': 'pkg:maven/io.micronaut/micronaut-inject@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -606,6 +681,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-jackson-core', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-jackson-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -614,6 +690,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-jackson-databind', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-jackson-databind@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -622,6 +699,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-json-core', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-json-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -630,6 +708,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-router', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-router@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -638,6 +717,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-runtime', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-runtime@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -646,6 +726,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-validation', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-validation@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -654,6 +735,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-websocket', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-websocket@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -662,6 +744,7 @@ 'group': 'io.netty', 'name': 'netty-buffer', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-buffer@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -670,6 +753,7 @@ 'group': 'io.netty', 'name': 'netty-codec', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-codec@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -678,6 +762,7 @@ 'group': 'io.netty', 'name': 'netty-codec-http', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-codec-http@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -686,6 +771,7 @@ 'group': 'io.netty', 'name': 'netty-codec-http2', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-codec-http2@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -694,6 +780,7 @@ 'group': 'io.netty', 'name': 'netty-codec-socks', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-codec-socks@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -702,6 +789,7 @@ 'group': 'io.netty', 'name': 'netty-common', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-common@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -710,6 +798,7 @@ 'group': 'io.netty', 'name': 'netty-handler', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-handler@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -718,6 +807,7 @@ 'group': 'io.netty', 'name': 'netty-handler-proxy', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-handler-proxy@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -726,6 +816,7 @@ 'group': 'io.netty', 'name': 'netty-resolver', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-resolver@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -734,6 +825,7 @@ 'group': 'io.netty', 'name': 'netty-transport', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-transport@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -742,6 +834,7 @@ 'group': 'io.netty', 'name': 'netty-transport-classes-epoll', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-transport-classes-epoll@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -750,6 +843,7 @@ 'group': 'io.netty', 'name': 'netty-transport-native-unix-common', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-transport-native-unix-common@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -758,6 +852,7 @@ 'group': 'io.projectreactor', 'name': 'reactor-core', 'note': '', + 'purl': 'pkg:maven/io.projectreactor/reactor-core@3.5.0?type=jar', 'url': 'https://github.com/reactor/reactor-core', 'version': '3.5.0', }), @@ -766,6 +861,7 @@ 'group': 'io.swagger.core.v3', 'name': 'swagger-annotations', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.swagger.core.v3/swagger-annotations@2.2.7?type=jar', 'url': '', 'version': '2.2.7', }), @@ -774,6 +870,7 @@ 'group': 'jakarta.annotation', 'name': 'jakarta.annotation-api', 'note': '', + 'purl': 'pkg:maven/jakarta.annotation/jakarta.annotation-api@2.1.1?type=jar', 'url': 'https://github.com/eclipse-ee4j/common-annotations-api', 'version': '2.1.1', }), @@ -782,6 +879,7 @@ 'group': 'jakarta.inject', 'name': 'jakarta.inject-api', 'note': '', + 'purl': 'pkg:maven/jakarta.inject/jakarta.inject-api@2.0.1?type=jar', 'url': 'https://github.com/eclipse-ee4j/injection-api', 'version': '2.0.1', }), @@ -790,6 +888,7 @@ 'group': 'javax.annotation', 'name': 'javax.annotation-api', 'note': '', + 'purl': 'pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar', 'url': 'https://github.com/javaee/javax.annotation', 'version': '1.3.2', }), @@ -798,6 +897,7 @@ 'group': 'javax.inject', 'name': 'javax.inject', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/javax.inject/javax.inject@1?type=jar', 'url': '', 'version': '1', }), @@ -806,6 +906,7 @@ 'group': 'javax.servlet', 'name': 'javax.servlet-api', 'note': '', + 'purl': 'pkg:maven/javax.servlet/javax.servlet-api@4.0.1?type=jar', 'url': 'https://github.com/javaee/servlet-spec', 'version': '4.0.1', }), @@ -814,6 +915,7 @@ 'group': 'javax.validation', 'name': 'validation-api', 'note': '', + 'purl': 'pkg:maven/javax.validation/validation-api@2.0.1.Final?type=jar', 'url': 'https://github.com/beanvalidation/beanvalidation-api', 'version': '2.0.1.Final', }), @@ -822,6 +924,7 @@ 'group': 'joda-time', 'name': 'joda-time', 'note': '', + 'purl': 'pkg:maven/joda-time/joda-time@2.8.1?type=jar', 'url': 'https://github.com/JodaOrg/joda-time', 'version': '2.8.1', }), @@ -830,6 +933,7 @@ 'group': 'org.apache.commons', 'name': 'commons-compress', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.commons/commons-compress@1.21?type=jar', 'url': '', 'version': '1.21', }), @@ -838,6 +942,7 @@ 'group': 'org.apache.httpcomponents', 'name': 'httpclient', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.httpcomponents/httpclient@4.5.13?type=jar', 'url': '', 'version': '4.5.13', }), @@ -846,6 +951,7 @@ 'group': 'org.apache.httpcomponents', 'name': 'httpcore', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.httpcomponents/httpcore@4.4.13?type=jar', 'url': '', 'version': '4.4.13', }), @@ -854,6 +960,7 @@ 'group': 'org.apache.httpcomponents', 'name': 'httpmime', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.httpcomponents/httpmime@4.5.13?type=jar', 'url': '', 'version': '4.5.13', }), @@ -862,6 +969,7 @@ 'group': 'org.apache.logging.log4j', 'name': 'log4j-api', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.logging.log4j/log4j-api@2.19.0?type=jar', 'url': '', 'version': '2.19.0', }), @@ -870,6 +978,7 @@ 'group': 'org.apache.logging.log4j', 'name': 'log4j-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.logging.log4j/log4j-core@2.19.0?type=jar', 'url': '', 'version': '2.19.0', }), @@ -878,6 +987,7 @@ 'group': 'org.apache.logging.log4j', 'name': 'log4j-slf4j-impl', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.logging.log4j/log4j-slf4j-impl@2.19.0?type=jar', 'url': '', 'version': '2.19.0', }), @@ -886,6 +996,7 @@ 'group': 'org.eclipse.jetty', 'name': 'jetty-http', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jetty/jetty-http@9.4.50.v20221201?type=jar', 'url': '', 'version': '9.4.50.v20221201', }), @@ -894,6 +1005,7 @@ 'group': 'org.eclipse.jetty', 'name': 'jetty-io', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jetty/jetty-io@9.4.50.v20221201?type=jar', 'url': '', 'version': '9.4.50.v20221201', }), @@ -902,6 +1014,7 @@ 'group': 'org.eclipse.jetty', 'name': 'jetty-server', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jetty/jetty-server@9.4.50.v20221201?type=jar', 'url': '', 'version': '9.4.50.v20221201', }), @@ -910,6 +1023,7 @@ 'group': 'org.eclipse.jetty', 'name': 'jetty-util', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jetty/jetty-util@9.4.50.v20221201?type=jar', 'url': '', 'version': '9.4.50.v20221201', }), @@ -918,6 +1032,7 @@ 'group': 'org.eclipse.jgit', 'name': 'org.eclipse.jgit', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jgit/org.eclipse.jgit@5.11.1.202105131744-r?type=jar', 'url': '', 'version': '5.11.1.202105131744-r', }), @@ -926,6 +1041,7 @@ 'group': 'org.jetbrains.kotlin', 'name': 'kotlin-stdlib', 'note': 'https://github.com/JetBrains/kotlin is already analyzed.', + 'purl': 'pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.7.21?type=jar', 'url': 'https://github.com/JetBrains/kotlin', 'version': '1.7.21', }), @@ -934,6 +1050,7 @@ 'group': 'org.jetbrains.kotlin', 'name': 'kotlin-stdlib-common', 'note': 'https://github.com/JetBrains/kotlin is already analyzed.', + 'purl': 'pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.7.21?type=jar', 'url': 'https://github.com/JetBrains/kotlin', 'version': '1.7.21', }), @@ -942,6 +1059,7 @@ 'group': 'org.jetbrains.kotlin', 'name': 'kotlin-stdlib-jdk7', 'note': '', + 'purl': 'pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.7.21?type=jar', 'url': 'https://github.com/JetBrains/kotlin', 'version': '1.7.21', }), @@ -950,6 +1068,7 @@ 'group': 'org.jetbrains.kotlin', 'name': 'kotlin-stdlib-jdk8', 'note': 'https://github.com/JetBrains/kotlin is already analyzed.', + 'purl': 'pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.7.21?type=jar', 'url': 'https://github.com/JetBrains/kotlin', 'version': '1.7.21', }), @@ -958,6 +1077,7 @@ 'group': 'org.jetbrains', 'name': 'annotations', 'note': '', + 'purl': 'pkg:maven/org.jetbrains/annotations@19.0.0?type=jar', 'url': 'https://github.com/JetBrains/java-annotations', 'version': '19.0.0', }), @@ -966,6 +1086,7 @@ 'group': 'org.junit.jupiter', 'name': 'junit-jupiter-api', 'note': '', + 'purl': 'pkg:maven/org.junit.jupiter/junit-jupiter-api@5.9.1?type=jar', 'url': 'https://github.com/junit-team/junit5', 'version': '5.9.1', }), @@ -974,6 +1095,7 @@ 'group': 'org.junit.platform', 'name': 'junit-platform-commons', 'note': 'https://github.com/junit-team/junit5 is already analyzed.', + 'purl': 'pkg:maven/org.junit.platform/junit-platform-commons@1.9.1?type=jar', 'url': 'https://github.com/junit-team/junit5', 'version': '1.9.1', }), @@ -982,6 +1104,7 @@ 'group': 'org.opentest4j', 'name': 'opentest4j', 'note': '', + 'purl': 'pkg:maven/org.opentest4j/opentest4j@1.2.0?type=jar', 'url': 'https://github.com/ota4j-team/opentest4j', 'version': '1.2.0', }), @@ -990,6 +1113,7 @@ 'group': 'org.reactivestreams', 'name': 'reactive-streams', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.reactivestreams/reactive-streams@1.0.4?type=jar', 'url': '', 'version': '1.0.4', }), @@ -998,6 +1122,7 @@ 'group': 'org.slf4j', 'name': 'jcl-over-slf4j', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.slf4j/jcl-over-slf4j@1.7.36?type=jar', 'url': '', 'version': '1.7.36', }), @@ -1006,6 +1131,7 @@ 'group': 'org.slf4j', 'name': 'slf4j-api', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.slf4j/slf4j-api@1.7.36?type=jar', 'url': '', 'version': '1.7.36', }), @@ -1014,6 +1140,7 @@ 'group': 'org.yaml', 'name': 'snakeyaml', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.yaml/snakeyaml@1.33?type=jar', 'url': '', 'version': '1.33', }), @@ -1022,6 +1149,7 @@ 'group': 'software.amazon.awscdk', 'name': 'aws-cdk-lib', 'note': '', + 'purl': 'pkg:maven/software.amazon.awscdk/aws-cdk-lib@2.59.0?type=jar', 'url': 'https://github.com/aws/aws-cdk', 'version': '2.59.0', }), @@ -1030,6 +1158,7 @@ 'group': 'software.amazon.awscdk', 'name': 'cdk-asset-awscli-v1', 'note': '', + 'purl': 'pkg:maven/software.amazon.awscdk/cdk-asset-awscli-v1@2.2.52?type=jar', 'url': 'https://github.com/cdklabs/awscdk-asset-awscli', 'version': '2.2.52', }), @@ -1038,6 +1167,7 @@ 'group': 'software.amazon.awscdk', 'name': 'cdk-asset-kubectl-v20', 'note': '', + 'purl': 'pkg:maven/software.amazon.awscdk/cdk-asset-kubectl-v20@2.1.1?type=jar', 'url': 'https://github.com/cdklabs/awscdk-asset-kubectl', 'version': '2.1.1', }), @@ -1046,6 +1176,7 @@ 'group': 'software.amazon.awscdk', 'name': 'cdk-asset-node-proxy-agent-v5', 'note': '', + 'purl': 'pkg:maven/software.amazon.awscdk/cdk-asset-node-proxy-agent-v5@2.0.42?type=jar', 'url': 'https://github.com/cdklabs/awscdk-asset-node-proxy-agent', 'version': '2.0.42', }), @@ -1054,6 +1185,7 @@ 'group': 'software.amazon.awssdk', 'name': 'annotations', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/annotations@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1062,6 +1194,7 @@ 'group': 'software.amazon.awssdk', 'name': 'apache-client', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/apache-client@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1070,6 +1203,7 @@ 'group': 'software.amazon.awssdk', 'name': 'auth', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/auth@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1078,6 +1212,7 @@ 'group': 'software.amazon.awssdk', 'name': 'aws-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/aws-core@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1086,6 +1221,7 @@ 'group': 'software.amazon.awssdk', 'name': 'aws-json-protocol', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/aws-json-protocol@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1094,6 +1230,7 @@ 'group': 'software.amazon.awssdk', 'name': 'cloudwatchlogs', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/cloudwatchlogs@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1102,6 +1239,7 @@ 'group': 'software.amazon.awssdk', 'name': 'endpoints-spi', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/endpoints-spi@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1110,6 +1248,7 @@ 'group': 'software.amazon.awssdk', 'name': 'http-client-spi', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/http-client-spi@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1118,6 +1257,7 @@ 'group': 'software.amazon.awssdk', 'name': 'json-utils', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/json-utils@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1126,6 +1266,7 @@ 'group': 'software.amazon.awssdk', 'name': 'metrics-spi', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/metrics-spi@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1134,6 +1275,7 @@ 'group': 'software.amazon.awssdk', 'name': 'netty-nio-client', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/netty-nio-client@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1142,6 +1284,7 @@ 'group': 'software.amazon.awssdk', 'name': 'profiles', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/profiles@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1150,6 +1293,7 @@ 'group': 'software.amazon.awssdk', 'name': 'protocol-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/protocol-core@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1158,6 +1302,7 @@ 'group': 'software.amazon.awssdk', 'name': 'regions', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/regions@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1166,6 +1311,7 @@ 'group': 'software.amazon.awssdk', 'name': 'sdk-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/sdk-core@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1174,6 +1320,7 @@ 'group': 'software.amazon.awssdk', 'name': 'secretsmanager', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/secretsmanager@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1182,6 +1329,7 @@ 'group': 'software.amazon.awssdk', 'name': 'servicediscovery', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/servicediscovery@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1190,6 +1338,7 @@ 'group': 'software.amazon.awssdk', 'name': 'ssm', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/ssm@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1198,6 +1347,7 @@ 'group': 'software.amazon.awssdk', 'name': 'third-party-jackson-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/third-party-jackson-core@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1206,6 +1356,7 @@ 'group': 'software.amazon.awssdk', 'name': 'utils', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/utils@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1214,6 +1365,7 @@ 'group': 'software.amazon.eventstream', 'name': 'eventstream', 'note': '', + 'purl': 'pkg:maven/software.amazon.eventstream/eventstream@1.0.1?type=jar', 'url': 'https://github.com/awslabs/aws-eventstream-java', 'version': '1.0.1', }), @@ -1222,6 +1374,7 @@ 'group': 'software.amazon.ion', 'name': 'ion-java', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.ion/ion-java@1.0.2?type=jar', 'url': '', 'version': '1.0.2', }), @@ -1230,6 +1383,7 @@ 'group': 'software.amazon.jsii', 'name': 'jsii-runtime', 'note': '', + 'purl': 'pkg:maven/software.amazon.jsii/jsii-runtime@1.73.0?type=jar', 'url': 'https://github.com/aws/jsii', 'version': '1.73.0', }), @@ -1238,6 +1392,7 @@ 'group': 'software.constructs', 'name': 'constructs', 'note': '', + 'purl': 'pkg:maven/software.constructs/constructs@10.1.232?type=jar', 'url': 'https://github.com/aws/constructs', 'version': '10.1.232', }), @@ -12225,6 +12380,7 @@ 'group': '', 'name': 'joda-time', 'note': '', + 'purl': 'pkg:maven/joda-time/joda-time@2.6?type=jar', 'url': 'https://github.com/JodaOrg/joda-time', 'version': '2.6', }), @@ -12237,6 +12393,7 @@ 'group': 'joda-time', 'name': 'joda-time', 'note': '', + 'purl': 'pkg:maven/joda-time/joda-time@2.6?type=jar', 'url': 'https://github.com/JodaOrg/joda-time', 'version': '', }), @@ -12249,6 +12406,7 @@ 'group': 'joda-time', 'name': 'joda-time', 'note': '', + 'purl': 'pkg:maven/joda-time/joda-time@2.6?type=jar', 'url': 'https://github.com/JodaOrg/joda-time', 'version': '2.7', }), diff --git a/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json b/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json index 493861603..15a974507 100644 --- a/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json +++ b/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json @@ -1,7 +1,7 @@ [ { "id": "org.junit.jupiter:junit-jupiter-engine", - "purl": "", + "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-engine@5.8.1?type=jar", "path": "https://github.com/junit-team/junit5", "branch": "", "digest": "", @@ -10,7 +10,7 @@ }, { "id": "org.hamcrest:hamcrest-core", - "purl": "", + "purl": "pkg:maven/org.hamcrest/hamcrest-core@2.2?type=jar", "path": "https://github.com/hamcrest/JavaHamcrest", "branch": "", "digest": "", @@ -19,7 +19,7 @@ }, { "id": "org.apache.maven:maven-model", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-model@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -28,7 +28,7 @@ }, { "id": "org.apache.maven:maven-artifact", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-artifact@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -37,7 +37,7 @@ }, { "id": "org.apache.maven:maven-plugin-api", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-plugin-api@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -46,7 +46,7 @@ }, { "id": "org.apache.maven:maven-builder-support", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-builder-support@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -55,7 +55,7 @@ }, { "id": "org.apache.maven:maven-model-transform", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-model-transform@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -64,7 +64,7 @@ }, { "id": "org.apache.maven:maven-model-builder", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-model-builder@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -73,7 +73,7 @@ }, { "id": "org.apache.maven:maven-settings", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-settings@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -82,7 +82,7 @@ }, { "id": "org.apache.maven:maven-settings-builder", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-settings-builder@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -91,7 +91,7 @@ }, { "id": "org.apache.maven:maven-toolchain-model", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-toolchain-model@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -100,7 +100,7 @@ }, { "id": "org.apache.maven:maven-toolchain-builder", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-toolchain-builder@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -109,7 +109,7 @@ }, { "id": "org.apache.maven:maven-repository-metadata", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-repository-metadata@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -118,7 +118,7 @@ }, { "id": "org.apache.maven:maven-resolver-provider", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-resolver-provider@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -127,7 +127,7 @@ }, { "id": "org.apache.maven:maven-core", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-core@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -136,7 +136,7 @@ }, { "id": "org.apache.maven:maven-slf4j-wrapper", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-slf4j-wrapper@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -145,7 +145,7 @@ }, { "id": "org.apache.maven:maven-slf4j-provider", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-slf4j-provider@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -154,7 +154,7 @@ }, { "id": "org.apache.maven:maven-embedder", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-embedder@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -163,7 +163,7 @@ }, { "id": "org.apache.maven:maven-compat", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-compat@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -172,7 +172,7 @@ }, { "id": "org.apache.maven:apache-maven", - "purl": "", + "purl": "pkg:maven/org.apache.maven/apache-maven@4.0.0-alpha-1-SNAPSHOT?type=pom", "path": "", "branch": "", "digest": "", diff --git a/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json b/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json index 5023681ee..6e228010d 100644 --- a/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json +++ b/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json @@ -1,7 +1,7 @@ [ { "id": "org.junit.jupiter:junit-jupiter-engine", - "purl": "", + "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-engine@5.8.1?type=jar", "path": "https://github.com/junit-team/junit5", "branch": "", "digest": "", @@ -10,7 +10,7 @@ }, { "id": "org.hamcrest:hamcrest-core", - "purl": "", + "purl": "pkg:maven/org.hamcrest/hamcrest-core@2.2?type=jar", "path": "https://github.com/hamcrest/JavaHamcrest", "branch": "", "digest": "", @@ -19,7 +19,7 @@ }, { "id": "org.eclipse.sisu:org.eclipse.sisu.plexus", - "purl": "", + "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.5?type=jar", "path": "", "branch": "", "digest": "", @@ -28,7 +28,7 @@ }, { "id": "org.codehaus.plexus:plexus-utils", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-utils@3.3.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-utils", "branch": "", "digest": "", @@ -37,7 +37,7 @@ }, { "id": "org.codehaus.plexus:plexus-classworlds", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-classworlds@2.6.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-classworlds", "branch": "", "digest": "", @@ -46,7 +46,7 @@ }, { "id": "org.slf4j:slf4j-api", - "purl": "", + "purl": "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", "path": "https://github.com/qos-ch/slf4j", "branch": "", "digest": "", @@ -55,7 +55,7 @@ }, { "id": "org.apache.maven.shared:maven-shared-utils", - "purl": "", + "purl": "pkg:maven/org.apache.maven.shared/maven-shared-utils@3.3.4?type=jar", "path": "https://github.com/apache/maven-shared-utils", "branch": "", "digest": "", @@ -64,7 +64,7 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-api", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-api@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", @@ -73,16 +73,16 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-util", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-util@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "com.google.inject:guice", - "purl": "", + "purl": "pkg:maven/com.google.inject/guice@4.2.3?classifier=no_aop&type=jar", "path": "https://github.com/google/guice", "branch": "", "digest": "", @@ -91,7 +91,7 @@ }, { "id": "com.google.guava:guava", - "purl": "", + "purl": "pkg:maven/com.google.guava/guava@30.1-jre?type=jar", "path": "https://github.com/google/guava", "branch": "", "digest": "", @@ -100,7 +100,7 @@ }, { "id": "com.google.guava:failureaccess", - "purl": "", + "purl": "pkg:maven/com.google.guava/failureaccess@1.0.1?type=jar", "path": "https://github.com/google/guava", "branch": "", "digest": "", @@ -109,7 +109,7 @@ }, { "id": "javax.inject:javax.inject", - "purl": "", + "purl": "pkg:maven/javax.inject/javax.inject@1?type=jar", "path": "", "branch": "", "digest": "", @@ -118,7 +118,7 @@ }, { "id": "javax.annotation:javax.annotation-api", - "purl": "", + "purl": "pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar", "path": "https://github.com/javaee/javax.annotation", "branch": "", "digest": "", @@ -127,7 +127,7 @@ }, { "id": "org.codehaus.plexus:plexus-sec-dispatcher", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-sec-dispatcher@2.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-sec-dispatcher", "branch": "", "digest": "", @@ -136,7 +136,7 @@ }, { "id": "org.codehaus.plexus:plexus-cipher", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-cipher@2.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-cipher", "branch": "", "digest": "", @@ -145,7 +145,7 @@ }, { "id": "org.slf4j:slf4j-simple", - "purl": "", + "purl": "pkg:maven/org.slf4j/slf4j-simple@1.7.32?type=jar", "path": "https://github.com/qos-ch/slf4j", "branch": "", "digest": "", @@ -154,7 +154,7 @@ }, { "id": "ch.qos.logback:logback-classic", - "purl": "", + "purl": "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", "path": "https://github.com/ceki/logback", "branch": "", "digest": "", @@ -163,7 +163,7 @@ }, { "id": "commons-cli:commons-cli", - "purl": "", + "purl": "pkg:maven/commons-cli/commons-cli@1.5.0?type=jar", "path": "https://github.com/apache/maven-apache-parent", "branch": "", "digest": "", @@ -172,16 +172,16 @@ }, { "id": "org.apache.commons:commons-lang3", - "purl": "", + "purl": "pkg:maven/org.apache.commons/commons-lang3@3.12.0?type=jar", "path": "https://github.com/apache/maven-apache-parent", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-apache-parent is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.mockito:mockito-core", - "purl": "", + "purl": "pkg:maven/org.mockito/mockito-core@3.2.0?type=jar", "path": "https://github.com/mockito/mockito", "branch": "", "digest": "", @@ -190,7 +190,7 @@ }, { "id": "org.fusesource.jansi:jansi", - "purl": "", + "purl": "pkg:maven/org.fusesource.jansi/jansi@2.4.0?type=jar", "path": "https://github.com/fusesource/jansi", "branch": "", "digest": "", @@ -199,7 +199,7 @@ }, { "id": "org.apache.maven.wagon:wagon-http", - "purl": "", + "purl": "pkg:maven/org.apache.maven.wagon/wagon-http@3.5.1?type=jar", "path": "https://github.com/apache/maven-wagon", "branch": "", "digest": "", @@ -208,16 +208,16 @@ }, { "id": "org.apache.maven.wagon:wagon-file", - "purl": "", + "purl": "pkg:maven/org.apache.maven.wagon/wagon-file@3.5.1?type=jar", "path": "https://github.com/apache/maven-wagon", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-wagon is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.slf4j:jcl-over-slf4j", - "purl": "", + "purl": "pkg:maven/org.slf4j/jcl-over-slf4j@1.7.32?type=jar", "path": "https://github.com/qos-ch/slf4j", "branch": "", "digest": "", @@ -226,43 +226,43 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-connector-basic", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-connector-basic@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.apache.maven.resolver:maven-resolver-transport-file", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-file@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.apache.maven.resolver:maven-resolver-transport-http", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-http@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.apache.maven.resolver:maven-resolver-transport-wagon", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-wagon@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.codehaus.plexus:plexus-interpolation", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-interpolation@1.26?type=jar", "path": "https://github.com/codehaus-plexus/plexus-interpolation", "branch": "", "digest": "", @@ -271,16 +271,16 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-impl", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-impl@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.codehaus.plexus:plexus-component-annotations", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-component-annotations@2.1.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-containers", "branch": "", "digest": "", @@ -289,16 +289,16 @@ }, { "id": "org.apache.maven.wagon:wagon-provider-api", - "purl": "", + "purl": "pkg:maven/org.apache.maven.wagon/wagon-provider-api@3.5.1?type=jar", "path": "https://github.com/apache/maven-wagon", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-wagon is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.codehaus.plexus:plexus-testing", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-testing@1.0.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-testing", "branch": "", "digest": "", @@ -307,7 +307,7 @@ }, { "id": "org.junit.jupiter:junit-jupiter-params", - "purl": "", + "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-params@5.8.1?type=jar", "path": "https://github.com/junit-team/junit5", "branch": "", "digest": "", @@ -316,7 +316,7 @@ }, { "id": "org.xmlunit:xmlunit-assertj", - "purl": "", + "purl": "pkg:maven/org.xmlunit/xmlunit-assertj@2.6.4?type=jar", "path": "https://github.com/xmlunit/xmlunit", "branch": "", "digest": "", @@ -325,7 +325,7 @@ }, { "id": "org.hamcrest:hamcrest-library", - "purl": "", + "purl": "pkg:maven/org.hamcrest/hamcrest-library@2.2?type=jar", "path": "https://github.com/hamcrest/JavaHamcrest", "branch": "", "digest": "", @@ -334,7 +334,7 @@ }, { "id": "org.eclipse.sisu:org.eclipse.sisu.inject", - "purl": "", + "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.inject@0.3.5?type=jar", "path": "", "branch": "", "digest": "", @@ -343,7 +343,7 @@ }, { "id": "org.xmlunit:xmlunit-core", - "purl": "", + "purl": "pkg:maven/org.xmlunit/xmlunit-core@2.6.4?type=jar", "path": "https://github.com/xmlunit/xmlunit", "branch": "", "digest": "", @@ -352,7 +352,7 @@ }, { "id": "org.xmlunit:xmlunit-matchers", - "purl": "", + "purl": "pkg:maven/org.xmlunit/xmlunit-matchers@2.6.4?type=jar", "path": "https://github.com/xmlunit/xmlunit", "branch": "", "digest": "", @@ -361,16 +361,16 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-spi", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-spi@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "commons-jxpath:commons-jxpath", - "purl": "", + "purl": "pkg:maven/commons-jxpath/commons-jxpath@1.3?type=jar", "path": "", "branch": "", "digest": "", diff --git a/tests/dependency_analyzer/expected_results/cyclonedx_timyarkov_multibuild_test.json b/tests/dependency_analyzer/expected_results/cyclonedx_timyarkov_multibuild_test.json index 1b4a1fb15..bafacf2b5 100644 --- a/tests/dependency_analyzer/expected_results/cyclonedx_timyarkov_multibuild_test.json +++ b/tests/dependency_analyzer/expected_results/cyclonedx_timyarkov_multibuild_test.json @@ -1,7 +1,7 @@ [ { "id": "org.springframework.boot:spring-boot-starter-thymeleaf", - "purl": "", + "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@3.0.0?type=jar", "path": "https://github.com/spring-projects/spring-boot", "branch": "", "digest": "", @@ -10,7 +10,7 @@ }, { "id": "org.springframework.boot:spring-boot-starter-web", - "purl": "", + "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-web@3.0.0?type=jar", "path": "https://github.com/spring-projects/spring-boot", "branch": "", "digest": "", @@ -19,7 +19,7 @@ }, { "id": "com.google.code.gson:gson", - "purl": "", + "purl": "pkg:maven/com.google.code.gson/gson@2.10.1?type=jar", "path": "https://github.com/google/gson", "branch": "", "digest": "", diff --git a/tests/dependency_analyzer/test_dependency_analyzer.py b/tests/dependency_analyzer/test_dependency_analyzer.py index 3dd7d992f..ed9b9c7cb 100644 --- a/tests/dependency_analyzer/test_dependency_analyzer.py +++ b/tests/dependency_analyzer/test_dependency_analyzer.py @@ -27,6 +27,7 @@ def test_merge_config(self) -> None: version="2.14.0-SNAPSHOT", group="com.fasterxml.jackson.core", name="jackson-annotations", + purl="pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0-SNAPSHOT?type=bundle", url="https://github.com/FasterXML/jackson-annotations", note="", available=SCMStatus.AVAILABLE, @@ -35,6 +36,7 @@ def test_merge_config(self) -> None: version="2.14.0-SNAPSHOT", group="com.fasterxml.jackson.core", name="jackson-core", + purl="pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0-SNAPSHOT?type=bundle", url="https://github.com/FasterXML/jackson-core", note="", available=SCMStatus.AVAILABLE, @@ -45,7 +47,7 @@ def test_merge_config(self) -> None: expected_result_no_deps = [ { "id": "com.fasterxml.jackson.core:jackson-annotations", - "purl": "", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0-SNAPSHOT?type=bundle", "path": "https://github.com/FasterXML/jackson-annotations", "branch": "", "digest": "", @@ -54,7 +56,7 @@ def test_merge_config(self) -> None: }, { "id": "com.fasterxml.jackson.core:jackson-core", - "purl": "", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0-SNAPSHOT?type=bundle", "path": "https://github.com/FasterXML/jackson-core", "branch": "", "digest": "", @@ -84,7 +86,7 @@ def test_merge_config(self) -> None: }, { "id": "com.fasterxml.jackson.core:jackson-annotations", - "purl": "", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0-SNAPSHOT?type=bundle", "path": "https://github.com/FasterXML/jackson-annotations", "branch": "", "digest": "", @@ -93,7 +95,7 @@ def test_merge_config(self) -> None: }, { "id": "com.fasterxml.jackson.core:jackson-core", - "purl": "", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0-SNAPSHOT?type=bundle", "path": "https://github.com/FasterXML/jackson-core", "branch": "", "digest": "", diff --git a/tests/e2e/expected_results/docker_test/docker_test.json b/tests/e2e/expected_results/docker_test/docker_test.json index 2ded272c1..6940d8964 100644 --- a/tests/e2e/expected_results/docker_test/docker_test.json +++ b/tests/e2e/expected_results/docker_test/docker_test.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-08-28 12:52:37" + "timestamps": "2023-09-12 17:09:42" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "Pretend-to-do-stuff", + "stepID": "Push Docker" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -61,7 +64,7 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -118,6 +121,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -193,31 +207,35 @@ "unique_dep_repos": 0, "checks_summary": [ { - "check_id": "mcn_build_script_1", + "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, { - "check_id": "mcn_version_control_system_1", + "check_id": "mcn_provenance_witness_level_one_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_service_1", + "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_witness_level_one_1", + "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", + "check_id": "mcn_version_control_system_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_as_code_1", + "check_id": "mcn_trusted_builder_level_three_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_script_1", "num_deps_pass": 0 }, { @@ -225,7 +243,7 @@ "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_expectation_1", + "check_id": "mcn_build_service_1", "num_deps_pass": 0 } ], diff --git a/tests/e2e/expected_results/jackson-databind/jackson-databind.json b/tests/e2e/expected_results/jackson-databind/jackson-databind.json index 3bfb62b98..4d2999187 100644 --- a/tests/e2e/expected_results/jackson-databind/jackson-databind.json +++ b/tests/e2e/expected_results/jackson-databind/jackson-databind.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:35:08" + "timestamps": "2023-09-12 17:24:16" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "build", + "stepID": "Deploy snapshot" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -160,6 +167,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -238,10 +256,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -265,10 +291,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/maven/guava.json b/tests/e2e/expected_results/maven/guava.json index d68be2be2..a608b9803 100644 --- a/tests/e2e/expected_results/maven/guava.json +++ b/tests/e2e/expected_results/maven/guava.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:36:15" + "timestamps": "2023-09-12 17:28:04" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "publish_snapshot", + "stepID": "Publish" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -118,6 +122,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -196,10 +211,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -223,10 +246,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/maven/maven.json b/tests/e2e/expected_results/maven/maven.json index 158f1c047..d33a87a2f 100644 --- a/tests/e2e/expected_results/maven/maven.json +++ b/tests/e2e/expected_results/maven/maven.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-06-14 13:33:34" + "timestamps": "2023-09-12 17:28:08" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -155,6 +162,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -176,7 +194,7 @@ "Provenance conforms with expectations - SLSA Level 3" ], "justification": [ - "Check mcn_provenance_expectation_1 is set to FAILED because mcn_provenance_level_three_1 FAILED." + "Check mcn_provenance_expectation_1 is set to FAILED because mcn_provenance_available_1 FAILED." ], "result_type": "FAILED" }, @@ -226,24 +244,32 @@ } }, "dependencies": { - "analyzed_deps": 2, - "unique_dep_repos": 2, + "analyzed_deps": 0, + "unique_dep_repos": 0, "checks_summary": [ { "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", - "num_deps_pass": 2 + "num_deps_pass": 0 }, { "check_id": "mcn_version_control_system_1", - "num_deps_pass": 2 + "num_deps_pass": 0 }, { "check_id": "mcn_trusted_builder_level_three_1", @@ -251,7 +277,7 @@ }, { "check_id": "mcn_build_script_1", - "num_deps_pass": 2 + "num_deps_pass": 0 }, { "check_id": "mcn_provenance_level_three_1", @@ -260,25 +286,8 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], - "dep_status": [ - { - "id": "guava", - "description": "Analysis Completed.", - "report": "guava.html", - "status": "AVAILABLE" - }, - { - "id": "mockito", - "description": "Analysis Completed.", - "report": "mockito.html", - "status": "AVAILABLE" - } - ] + "dep_status": [] } } diff --git a/tests/e2e/expected_results/maven/mockito.json b/tests/e2e/expected_results/maven/mockito.json index e7da37718..ee4791623 100644 --- a/tests/e2e/expected_results/maven/mockito.json +++ b/tests/e2e/expected_results/maven/mockito.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:36:15" + "timestamps": "2023-09-12 17:28:04" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "release", + "stepID": "Build and release" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -118,6 +122,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -196,10 +211,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -223,10 +246,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/micronaut-core/caffeine.json b/tests/e2e/expected_results/micronaut-core/caffeine.json index 869788261..88ac3fe9a 100644 --- a/tests/e2e/expected_results/micronaut-core/caffeine.json +++ b/tests/e2e/expected_results/micronaut-core/caffeine.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:33:32" + "timestamps": "2023-09-12 22:55:15" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "build", + "stepID": "Publish Snapshot" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -121,7 +128,8 @@ "The build is triggered by": "https://github.com/ben-manes/caffeine/blob/05a040c2478341bab8a58a02b3dc1fe14d626d72/.github/workflows/build.yml" }, "Deploy command: ['./gradlew', 'publishToSonatype']", - "However, could not find a passing workflow run." + "However, could not find a passing workflow run.", + "The target repository does not use maven to deploy." ], "result_type": "PASSED" }, @@ -160,6 +168,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -238,10 +257,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -265,10 +292,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/micronaut-core/micronaut-core.json b/tests/e2e/expected_results/micronaut-core/micronaut-core.json index 0c2268077..6994537a9 100644 --- a/tests/e2e/expected_results/micronaut-core/micronaut-core.json +++ b/tests/e2e/expected_results/micronaut-core/micronaut-core.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-09-13 08:44:28" + "timestamps": "2023-09-13 10:04:00" }, "target": { "info": { @@ -746,13 +746,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 2, + "FAILED": 3, "PASSED": 6, "SKIPPED": 0, "UNKNOWN": 1 @@ -850,6 +851,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_witness_level_one_1", "check_description": "Check whether the target has a level-1 witness provenance.", @@ -897,6 +909,10 @@ "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 1 diff --git a/tests/e2e/expected_results/micronaut-core/slf4j.json b/tests/e2e/expected_results/micronaut-core/slf4j.json index 0093d3f8a..1de0884e2 100644 --- a/tests/e2e/expected_results/micronaut-core/slf4j.json +++ b/tests/e2e/expected_results/micronaut-core/slf4j.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:33:32" + "timestamps": "2023-09-12 22:55:15" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 6, + "FAILED": 7, "PASSED": 3, "SKIPPED": 0, "UNKNOWN": 0 @@ -113,6 +117,17 @@ ], "result_type": "FAILED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Check mcn_infer_artifact_pipeline_1 is set to FAILED because mcn_build_as_code_1 FAILED." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -191,10 +206,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -215,10 +238,6 @@ "check_id": "mcn_provenance_level_three_1", "num_deps_pass": 0 }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 - }, { "check_id": "mcn_build_service_1", "num_deps_pass": 0 diff --git a/tests/e2e/expected_results/multibuild_test/multibuild_test.json b/tests/e2e/expected_results/multibuild_test/multibuild_test.json index 27e22539b..4ce642a20 100644 --- a/tests/e2e/expected_results/multibuild_test/multibuild_test.json +++ b/tests/e2e/expected_results/multibuild_test/multibuild_test.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-08-23 18:31:55" + "timestamps": "2023-09-12 17:09:38" }, "target": { "info": { @@ -35,9 +35,12 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "Pretend-to-do-stuff", + "stepID": "Publish Gradle Project" + }, "metadata": { - "buildInvocationId": "https://github.com/timyarkov/multibuild_test/actions/runs/5097947450", + "buildInvocationId": "", "buildStartedOn": "", "buildFinishedOn": "", "completeness": { @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -79,9 +83,7 @@ "The build is triggered by": "https://github.com/timyarkov/multibuild_test/blob/a8b0efe24298bc81f63217aaa84776c3d48976c5/.github/workflows/github-actions-basic.yml" }, "Deploy command: ['gradle', 'publish']", - { - "The status of the build can be seen at": "https://github.com/timyarkov/multibuild_test/actions/runs/5097947450" - }, + "However, could not find a passing workflow run.", "The target repository does not use maven to deploy." ], "result_type": "PASSED" @@ -121,6 +123,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -196,47 +209,51 @@ "unique_dep_repos": 2, "checks_summary": [ { - "check_id": "mcn_build_script_1", - "num_deps_pass": 2 + "check_id": "mcn_provenance_expectation_1", + "num_deps_pass": 0 }, { - "check_id": "mcn_version_control_system_1", - "num_deps_pass": 2 + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 }, { - "check_id": "mcn_build_service_1", - "num_deps_pass": 2 + "check_id": "mcn_provenance_available_1", + "num_deps_pass": 0 }, { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_witness_level_one_1", + "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", - "num_deps_pass": 0 + "check_id": "mcn_version_control_system_1", + "num_deps_pass": 2 }, { - "check_id": "mcn_build_as_code_1", + "check_id": "mcn_trusted_builder_level_three_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_build_script_1", + "num_deps_pass": 2 + }, { "check_id": "mcn_provenance_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_expectation_1", - "num_deps_pass": 0 + "check_id": "mcn_build_service_1", + "num_deps_pass": 2 } ], "dep_status": [ { "id": "org.springframework.boot:spring-boot-starter-thymeleaf", "description": "Analysis Completed.", - "report": "spring-boot.html", + "report": "spring-boot-starter-thymeleaf.html", "status": "AVAILABLE" }, { diff --git a/tests/e2e/expected_results/plot-plugin/plot-plugin.json b/tests/e2e/expected_results/plot-plugin/plot-plugin.json index bd52af38e..faa5f2e95 100644 --- a/tests/e2e/expected_results/plot-plugin/plot-plugin.json +++ b/tests/e2e/expected_results/plot-plugin/plot-plugin.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:11:33" + "timestamps": "2023-09-12 17:07:15" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 6, + "FAILED": 7, "PASSED": 3, "SKIPPED": 0, "UNKNOWN": 0 @@ -155,6 +162,17 @@ ], "result_type": "FAILED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Check mcn_infer_artifact_pipeline_1 is set to FAILED because mcn_build_as_code_1 FAILED." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -233,10 +251,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -260,10 +286,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json b/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json new file mode 100644 index 000000000..d28951558 --- /dev/null +++ b/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json @@ -0,0 +1,255 @@ +{ + "metadata": { + "timestamps": "2023-09-12 16:52:10" + }, + "target": { + "info": { + "full_name": "pkg:maven/com.google.guava/guava@32.1.2-jre?type=jar", + "local_cloned_path": "git_repos/github_com/google/guava", + "remote_path": "https://github.com/google/guava", + "branch": "master", + "commit_hash": "d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4", + "commit_date": "2022-06-16T01:55:17-07:00" + }, + "provenances": { + "is_inferred": true, + "content": { + "github_actions": [ + { + "_type": "https://in-toto.io/Statement/v0.1", + "subject": [], + "predicateType": "https://slsa.dev/provenance/v0.2", + "predicate": { + "builder": { + "id": "https://github.com/google/guava/blob/d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4/./util/deploy_snapshot.sh" + }, + "buildType": "Custom github_actions", + "invocation": { + "configSource": { + "uri": "https://github.com/google/guava@refs/heads/master", + "digest": { + "sha1": "d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4" + }, + "entryPoint": "https://github.com/google/guava/blob/d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4/.github/workflows/ci.yml" + }, + "parameters": {}, + "environment": {} + }, + "buildConfig": { + "jobID": "publish_snapshot", + "stepID": "Publish" + }, + "metadata": { + "buildInvocationId": "", + "buildStartedOn": "", + "buildFinishedOn": "", + "completeness": { + "parameters": "false", + "environment": "false", + "materials": "false" + }, + "reproducible": "false" + }, + "materials": [ + { + "uri": "", + "digest": {} + } + ] + } + } + ], + "Maven Central Registry": [] + } + }, + "checks": { + "summary": { + "DISABLED": 0, + "FAILED": 5, + "PASSED": 5, + "SKIPPED": 0, + "UNKNOWN": 0 + }, + "results": [ + { + "check_id": "mcn_build_as_code_1", + "check_description": "The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + { + "The target repository uses build tool maven to deploy": "https://github.com/google/guava/blob/d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4/./util/deploy_snapshot.sh", + "The build is triggered by": "https://github.com/google/guava/blob/d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4/.github/workflows/ci.yml" + }, + "Deploy command: ['mvn', 'clean', 'source:jar', 'javadoc:jar', 'deploy', '-DskipTests=true', '\"$@\"']", + "However, could not find a passing workflow run." + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_build_script_1", + "check_description": "Check if the target repo has a valid build script.", + "slsa_requirements": [ + "Scripted Build - SLSA Level 1" + ], + "justification": [ + "Check mcn_build_script_1 is set to PASSED because mcn_build_service_1 PASSED." + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_build_service_1", + "check_description": "Check if the target repo has a valid build service.", + "slsa_requirements": [ + "Build service - SLSA Level 2" + ], + "justification": [ + "Check mcn_build_service_1 is set to PASSED because mcn_build_as_code_1 PASSED." + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + { + "The artifact is potentially published by workflow job 'publish_snapshot' at step 'Publish' triggered by": "https://github.com/google/guava/actions/runs/5719444145" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_version_control_system_1", + "check_description": "Check whether the target repo uses a version control system.", + "slsa_requirements": [ + "Version controlled - SLSA Level 2" + ], + "justification": [ + { + "This is a Git repository": "https://github.com/google/guava" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_provenance_available_1", + "check_description": "Check whether the target has intoto provenance.", + "slsa_requirements": [ + "Provenance - Available - SLSA Level 1", + "Provenance content - Identifies build instructions - SLSA Level 1", + "Provenance content - Identifies artifacts - SLSA Level 1", + "Provenance content - Identifies builder - SLSA Level 1" + ], + "justification": [ + "Could not find any SLSA provenances." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_provenance_expectation_1", + "check_description": "Check whether the SLSA provenance for the produced artifact conforms to the expected value.", + "slsa_requirements": [ + "Provenance conforms with expectations - SLSA Level 3" + ], + "justification": [ + "Check mcn_provenance_expectation_1 is set to FAILED because mcn_provenance_available_1 FAILED." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_provenance_level_three_1", + "check_description": "Check whether the target has SLSA provenance level 3.", + "slsa_requirements": [ + "Provenance - Non falsifiable - SLSA Level 3", + "Provenance content - Includes all build parameters - SLSA Level 3", + "Provenance content - Identifies entry point - SLSA Level 3", + "Provenance content - Identifies source code - SLSA Level 2" + ], + "justification": [ + "Check mcn_provenance_level_three_1 is set to FAILED because mcn_provenance_available_1 FAILED." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "check_description": "Check whether the target has a level-1 witness provenance.", + "slsa_requirements": [ + "Provenance - Available - SLSA Level 1", + "Provenance content - Identifies build instructions - SLSA Level 1", + "Provenance content - Identifies artifacts - SLSA Level 1", + "Provenance content - Identifies builder - SLSA Level 1" + ], + "justification": [ + "Check mcn_provenance_witness_level_one_1 is set to FAILED because mcn_provenance_available_1 FAILED." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_trusted_builder_level_three_1", + "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", + "slsa_requirements": [ + "Hermetic - SLSA Level 4", + "Isolated - SLSA Level 3", + "Parameterless - SLSA Level 4", + "Ephemeral environment - SLSA Level 3" + ], + "justification": [ + "Could not find a trusted level 3 builder as a GitHub Actions workflow." + ], + "result_type": "FAILED" + } + ] + } + }, + "dependencies": { + "analyzed_deps": 0, + "unique_dep_repos": 0, + "checks_summary": [ + { + "check_id": "mcn_provenance_expectation_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_available_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_as_code_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_version_control_system_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_trusted_builder_level_three_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_script_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_level_three_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_service_1", + "num_deps_pass": 0 + } + ], + "dep_status": [] + } +} diff --git a/tests/e2e/expected_results/purl/maven/maven.json b/tests/e2e/expected_results/purl/maven/maven.json index 468950538..833cb74bb 100644 --- a/tests/e2e/expected_results/purl/maven/maven.json +++ b/tests/e2e/expected_results/purl/maven/maven.json @@ -1,11 +1,11 @@ { "metadata": { - "timestamps": "2023-08-23 14:52:50" + "timestamps": "2023-09-12 17:10:37" }, "target": { "info": { "full_name": "pkg:maven/apache/maven", - "local_cloned_path": "../../../../output/git_repos/github_com/apache/maven", + "local_cloned_path": "git_repos/github_com/apache/maven", "remote_path": "https://github.com/apache/maven", "branch": "master", "commit_hash": "6767f2500f1d005924ccff27f04350c253858a84", @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -155,6 +162,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -230,7 +248,7 @@ "unique_dep_repos": 0, "checks_summary": [ { - "check_id": "mcn_version_control_system_1", + "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, { @@ -238,27 +256,31 @@ "num_deps_pass": 0 }, { - "check_id": "mcn_build_as_code_1", + "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_level_three_1", + "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_script_1", + "check_id": "mcn_version_control_system_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_expectation_1", + "check_id": "mcn_trusted_builder_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", + "check_id": "mcn_build_script_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_level_three_1", "num_deps_pass": 0 }, { diff --git a/tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json b/tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json index a86c796eb..d32078220 100644 --- a/tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json +++ b/tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 21:09:08" + "timestamps": "2023-09-12 17:36:00" }, "target": { "info": { @@ -22,44 +22,44 @@ { "name": "slsa-verifier-darwin-amd64", "digest": { - "sha256": "44ae609925c2dddafa45b2f98da62b40abcf739bbbe6f9dc792f3aba6e236e9c" + "sha256": "9e67318937b936014b6127affc14bc45f1fb10d9899b0105877778e8179b3029" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -67,11 +67,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -88,10 +88,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -114,8 +114,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -154,8 +154,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -181,12 +181,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -196,44 +196,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -242,7 +242,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -251,12 +251,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-darwin-amd64" ], @@ -271,7 +271,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -281,13 +281,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -299,44 +299,44 @@ { "name": "slsa-verifier-darwin-arm64", "digest": { - "sha256": "16e028a9306c622aecfc1e286082a2cbdd71418f39054fab98612fcf2ce4716e" + "sha256": "b55009be65f8f6dae4399522e4ab5685a5cfe0b72dca3134f12ba144b8860607" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -344,11 +344,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -365,10 +365,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -391,8 +391,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -431,8 +431,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -458,12 +458,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -473,44 +473,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -519,7 +519,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -528,12 +528,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-darwin-arm64" ], @@ -548,7 +548,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -558,13 +558,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -576,44 +576,44 @@ { "name": "slsa-verifier-linux-amd64", "digest": { - "sha256": "ea687149d658efecda64d69da999efb84bb695a3212f29548d4897994027172d" + "sha256": "9883e4c7fd0fead95815de1533db62d1ae19daf9d333b359e192fc65ffb401b2" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -621,11 +621,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -642,10 +642,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -668,8 +668,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -708,8 +708,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -735,12 +735,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -750,44 +750,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -796,7 +796,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -805,12 +805,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-linux-amd64" ], @@ -825,7 +825,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -835,13 +835,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -853,44 +853,44 @@ { "name": "slsa-verifier-linux-arm64", "digest": { - "sha256": "59cadeaee0705dfe453e487188528a9d18864f95f5b1a34492ff69264692d327" + "sha256": "bb025462acd9e93da32694e3ed82bfa57cb487a28c989a083caf2a3569d3cfbe" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -898,11 +898,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -919,10 +919,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -945,8 +945,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -985,8 +985,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1012,12 +1012,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -1027,44 +1027,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -1073,7 +1073,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -1082,12 +1082,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-linux-arm64" ], @@ -1102,7 +1102,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -1112,13 +1112,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -1130,44 +1130,44 @@ { "name": "slsa-verifier-windows-amd64.exe", "digest": { - "sha256": "2a9e77e97045ba6a3d033011a9fa0ced7dbf60354738420591ec31beaee43830" + "sha256": "a8ea35a4abf450f3828d42cf0b9be3628692508184bec8610a472a7bf4afc843" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -1175,11 +1175,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1196,10 +1196,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -1222,8 +1222,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -1262,8 +1262,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1289,12 +1289,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -1304,44 +1304,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -1350,7 +1350,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -1359,12 +1359,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-windows-amd64.exe" ], @@ -1379,7 +1379,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -1389,13 +1389,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -1407,44 +1407,44 @@ { "name": "slsa-verifier-windows-arm64.exe", "digest": { - "sha256": "2e3713d93662060dbe5116c3e8cdfa4d93b8f33e97ef256fd82b9f0d160eb7ce" + "sha256": "b14cd8228fecabe53e3676ec2d94b53d7aee11f6f5a8dabbe07e840143d48e8d" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -1452,11 +1452,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1473,10 +1473,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -1499,8 +1499,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -1539,8 +1539,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1566,12 +1566,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -1581,44 +1581,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -1627,7 +1627,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -1636,12 +1636,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-windows-arm64.exe" ], @@ -1656,7 +1656,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -1666,13 +1666,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -1683,7 +1683,7 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 1, + "FAILED": 2, "PASSED": 8, "SKIPPED": 0, "UNKNOWN": 0 @@ -1768,20 +1768,6 @@ ], "result_type": "PASSED" }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "check_description": "Check whether the target has a level-1 witness provenance.", - "slsa_requirements": [ - "Provenance - Available - SLSA Level 1", - "Provenance content - Identifies build instructions - SLSA Level 1", - "Provenance content - Identifies artifacts - SLSA Level 1", - "Provenance content - Identifies builder - SLSA Level 1" - ], - "justification": [ - "Failed to discover any witness provenance." - ], - "result_type": "FAILED" - }, { "check_id": "mcn_trusted_builder_level_three_1", "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", @@ -1811,6 +1797,31 @@ } ], "result_type": "PASSED" + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "check_description": "Check whether the target has a level-1 witness provenance.", + "slsa_requirements": [ + "Provenance - Available - SLSA Level 1", + "Provenance content - Identifies build instructions - SLSA Level 1", + "Provenance content - Identifies artifacts - SLSA Level 1", + "Provenance content - Identifies builder - SLSA Level 1" + ], + "justification": [ + "Failed to discover any witness provenance." + ], + "result_type": "FAILED" } ] } @@ -1823,10 +1834,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -1850,10 +1869,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/tinyMediaManager/tinyMediaManager.json b/tests/e2e/expected_results/tinyMediaManager/tinyMediaManager.json index 26c5745eb..bbe1ada0c 100644 --- a/tests/e2e/expected_results/tinyMediaManager/tinyMediaManager.json +++ b/tests/e2e/expected_results/tinyMediaManager/tinyMediaManager.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 12:28:33" + "timestamps": "2023-09-12 17:07:11" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 7, + "FAILED": 8, "PASSED": 2, "SKIPPED": 0, "UNKNOWN": 0 @@ -74,7 +78,8 @@ "Scripted Build - SLSA Level 1" ], "justification": [ - "The target repository uses build tool maven." + "The target repository uses build tool maven.", + "The target repository uses build tool docker." ], "result_type": "PASSED" }, @@ -98,7 +103,8 @@ "Build as code - SLSA Level 3" ], "justification": [ - "The target repository does not use maven to deploy." + "The target repository does not use maven to deploy.", + "The target repository does not use docker to deploy." ], "result_type": "FAILED" }, @@ -110,10 +116,22 @@ ], "justification": [ "The target repository does not have a build service for maven.", + "The target repository does not have a build service for docker.", "The target repository does not have a build service for at least one build tool." ], "result_type": "FAILED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Check mcn_infer_artifact_pipeline_1 is set to FAILED because mcn_build_as_code_1 FAILED." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -189,19 +207,19 @@ "unique_dep_repos": 0, "checks_summary": [ { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_level_three_1", + "check_id": "mcn_provenance_witness_level_one_1", "num_deps_pass": 0 }, { - "check_id": "mcn_version_control_system_1", + "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_service_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { @@ -209,19 +227,23 @@ "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", + "check_id": "mcn_version_control_system_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_witness_level_one_1", + "check_id": "mcn_trusted_builder_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_expectation_1", + "check_id": "mcn_build_script_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_script_1", + "check_id": "mcn_provenance_level_three_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_service_1", "num_deps_pass": 0 } ], diff --git a/tests/e2e/expected_results/urllib3/urllib3.json b/tests/e2e/expected_results/urllib3/urllib3.json index 9fab9f184..1a24d23ef 100644 --- a/tests/e2e/expected_results/urllib3/urllib3.json +++ b/tests/e2e/expected_results/urllib3/urllib3.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:12:00" + "timestamps": "2023-09-12 20:10:10" }, "target": { "info": { @@ -20,51 +20,51 @@ "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { - "name": "urllib3-2.0.3-py3-none-any.whl", + "name": "urllib3-2.0.4-py3-none-any.whl", "digest": { - "sha256": "48e7fafa40319d358848e1bc6809b208340fafe2096f1725d05d67443d0483d1" + "sha256": "de7df1803967d2c2a98e4b11bb7d6bd9210474c46e8a0401514e3a42a75ebde4" } }, { - "name": "urllib3-2.0.3.tar.gz", + "name": "urllib3-2.0.4.tar.gz", "digest": { - "sha256": "bee28b5e56addb8226c96f7f13ac28cb4c301dd5ea8a6ca179c0b9835e032825" + "sha256": "8d22f86aae8ef5e410d4f539fde9ce6b2113a001bb4d189e0aed70642d602b11" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.6.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.3", + "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.4", "digest": { - "sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" }, "entryPoint": ".github/workflows/publish.yml" }, "parameters": {}, "environment": { - "github_actor": "pquentin", - "github_actor_id": "42327", + "github_actor": "illia-v", + "github_actor_id": "17710133", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "cb04c8e4603e062373fb62958809e4d0c32cef09", + "after": "d267c99f7e890ff22e136c34d29be802d9c2e773", "base_ref": null, "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/urllib3/urllib3/compare/2.0.3", + "compare": "https://github.com/urllib3/urllib3/compare/2.0.4", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "sethmichaellarson@gmail.com", - "name": "Seth Michael Larson", - "username": "sethmlarson" + "email": "64815328+Eutropios@users.noreply.github.com", + "name": "Noah Jenner", + "username": "Eutropios" }, "committer": { "email": "noreply@github.com", @@ -72,11 +72,11 @@ "username": "web-flow" }, "distinct": true, - "id": "92196a0f08b2c2139117546ccfbdd3429eb72469", - "message": "Release 2.0.3", - "timestamp": "2023-06-07T12:13:12+02:00", - "tree_id": "cffe7d9ddbff2e682cded4c146687767b561c5a9", - "url": "https://github.com/urllib3/urllib3/commit/92196a0f08b2c2139117546ccfbdd3429eb72469" + "id": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0", + "message": "Release version 2.0.4 (#3084)\n\nCo-authored-by: Illia Volochii ", + "timestamp": "2023-07-19T17:46:02+03:00", + "tree_id": "e61f50347e7bb803a0c8942ba63fe917c8424f77", + "url": "https://github.com/urllib3/urllib3/commit/c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/26825299?v=4", @@ -93,10 +93,10 @@ "url": "https://api.github.com/orgs/urllib3" }, "pusher": { - "email": "quentin.pradet@gmail.com", - "name": "pquentin" + "email": "illia.volochii@gmail.com", + "name": "illia-v" }, - "ref": "refs/tags/2.0.3", + "ref": "refs/tags/2.0.4", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/urllib3/urllib3/{archive_format}{/ref}", @@ -119,8 +119,8 @@ "downloads_url": "https://api.github.com/repos/urllib3/urllib3/downloads", "events_url": "https://api.github.com/repos/urllib3/urllib3/events", "fork": false, - "forks": 1071, - "forks_count": 1071, + "forks": 1078, + "forks_count": 1078, "forks_url": "https://api.github.com/repos/urllib3/urllib3/forks", "full_name": "urllib3/urllib3", "git_commits_url": "https://api.github.com/repos/urllib3/urllib3/git/commits{/sha}", @@ -159,8 +159,8 @@ "name": "urllib3", "node_id": "MDEwOlJlcG9zaXRvcnkyNDEwNjc2", "notifications_url": "https://api.github.com/repos/urllib3/urllib3/notifications{?since,all,participating}", - "open_issues": 124, - "open_issues_count": 124, + "open_issues": 125, + "open_issues_count": 125, "organization": "urllib3", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/26825299?v=4", @@ -186,12 +186,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/urllib3/urllib3/pulls{/number}", - "pushed_at": 1686132884, + "pushed_at": 1689779927, "releases_url": "https://api.github.com/repos/urllib3/urllib3/releases{/id}", - "size": 7215, + "size": 7242, "ssh_url": "git@github.com:urllib3/urllib3.git", - "stargazers": 3419, - "stargazers_count": 3419, + "stargazers": 3452, + "stargazers_count": 3452, "stargazers_url": "https://api.github.com/repos/urllib3/urllib3/stargazers", "statuses_url": "https://api.github.com/repos/urllib3/urllib3/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/urllib3/urllib3/subscribers", @@ -206,48 +206,48 @@ "urllib3" ], "trees_url": "https://api.github.com/repos/urllib3/urllib3/git/trees{/sha}", - "updated_at": "2023-06-07T06:42:49Z", + "updated_at": "2023-07-19T02:19:14Z", "url": "https://github.com/urllib3/urllib3", "visibility": "public", - "watchers": 3419, - "watchers_count": 3419, + "watchers": 3452, + "watchers_count": 3452, "web_commit_signoff_required": false }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/42327?v=4", - "events_url": "https://api.github.com/users/pquentin/events{/privacy}", - "followers_url": "https://api.github.com/users/pquentin/followers", - "following_url": "https://api.github.com/users/pquentin/following{/other_user}", - "gists_url": "https://api.github.com/users/pquentin/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/17710133?v=4", + "events_url": "https://api.github.com/users/illia-v/events{/privacy}", + "followers_url": "https://api.github.com/users/illia-v/followers", + "following_url": "https://api.github.com/users/illia-v/following{/other_user}", + "gists_url": "https://api.github.com/users/illia-v/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/pquentin", - "id": 42327, - "login": "pquentin", - "node_id": "MDQ6VXNlcjQyMzI3", - "organizations_url": "https://api.github.com/users/pquentin/orgs", - "received_events_url": "https://api.github.com/users/pquentin/received_events", - "repos_url": "https://api.github.com/users/pquentin/repos", + "html_url": "https://github.com/illia-v", + "id": 17710133, + "login": "illia-v", + "node_id": "MDQ6VXNlcjE3NzEwMTMz", + "organizations_url": "https://api.github.com/users/illia-v/orgs", + "received_events_url": "https://api.github.com/users/illia-v/received_events", + "repos_url": "https://api.github.com/users/illia-v/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/pquentin/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/pquentin/subscriptions", + "starred_url": "https://api.github.com/users/illia-v/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/illia-v/subscriptions", "type": "User", - "url": "https://api.github.com/users/pquentin" + "url": "https://api.github.com/users/illia-v" } }, "github_head_ref": "", - "github_ref": "refs/tags/2.0.3", + "github_ref": "refs/tags/2.0.4", "github_ref_type": "tag", "github_repository_id": "2410676", "github_repository_owner": "urllib3", "github_repository_owner_id": "26825299", "github_run_attempt": "1", - "github_run_id": "5198755918", - "github_run_number": "19", - "github_sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "github_run_id": "5600993171", + "github_run_number": "21", + "github_sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" } }, "metadata": { - "buildInvocationID": "5198755918-1", + "buildInvocationID": "5600993171-1", "completeness": { "parameters": true, "environment": false, @@ -257,9 +257,9 @@ }, "materials": [ { - "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.3", + "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.4", "digest": { - "sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" } } ] @@ -271,7 +271,7 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 2, + "FAILED": 3, "PASSED": 7, "SKIPPED": 0, "UNKNOWN": 0 @@ -352,10 +352,34 @@ ], "justification": [ "Successfully verified level 3: ", - "verify passed: urllib3-2.0.3-py3-none-any.whl,verify passed: urllib3-2.0.3.tar.gz" + "verify passed : urllib3-2.0.4-py3-none-any.whl,verify passed : urllib3-2.0.4.tar.gz" ], "result_type": "PASSED" }, + { + "check_id": "mcn_version_control_system_1", + "check_description": "Check whether the target repo uses a version control system.", + "slsa_requirements": [ + "Version controlled - SLSA Level 2" + ], + "justification": [ + { + "This is a Git repository": "https://github.com/urllib3/urllib3" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_witness_level_one_1", "check_description": "Check whether the target has a level-1 witness provenance.", @@ -370,19 +394,6 @@ ], "result_type": "FAILED" }, - { - "check_id": "mcn_version_control_system_1", - "check_description": "Check whether the target repo uses a version control system.", - "slsa_requirements": [ - "Version controlled - SLSA Level 2" - ], - "justification": [ - { - "This is a Git repository": "https://github.com/urllib3/urllib3" - } - ], - "result_type": "PASSED" - }, { "check_id": "mcn_trusted_builder_level_three_1", "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", @@ -408,10 +419,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -435,10 +454,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/urllib3/urllib3_cue_invalid.json b/tests/e2e/expected_results/urllib3/urllib3_cue_invalid.json index 5e087a0fc..b41112913 100644 --- a/tests/e2e/expected_results/urllib3/urllib3_cue_invalid.json +++ b/tests/e2e/expected_results/urllib3/urllib3_cue_invalid.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 21:42:11" + "timestamps": "2023-09-12 17:36:12" }, "target": { "info": { @@ -20,51 +20,51 @@ "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { - "name": "urllib3-2.0.3-py3-none-any.whl", + "name": "urllib3-2.0.4-py3-none-any.whl", "digest": { - "sha256": "48e7fafa40319d358848e1bc6809b208340fafe2096f1725d05d67443d0483d1" + "sha256": "de7df1803967d2c2a98e4b11bb7d6bd9210474c46e8a0401514e3a42a75ebde4" } }, { - "name": "urllib3-2.0.3.tar.gz", + "name": "urllib3-2.0.4.tar.gz", "digest": { - "sha256": "bee28b5e56addb8226c96f7f13ac28cb4c301dd5ea8a6ca179c0b9835e032825" + "sha256": "8d22f86aae8ef5e410d4f539fde9ce6b2113a001bb4d189e0aed70642d602b11" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.6.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.3", + "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.4", "digest": { - "sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" }, "entryPoint": ".github/workflows/publish.yml" }, "parameters": {}, "environment": { - "github_actor": "pquentin", - "github_actor_id": "42327", + "github_actor": "illia-v", + "github_actor_id": "17710133", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "cb04c8e4603e062373fb62958809e4d0c32cef09", + "after": "d267c99f7e890ff22e136c34d29be802d9c2e773", "base_ref": null, "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/urllib3/urllib3/compare/2.0.3", + "compare": "https://github.com/urllib3/urllib3/compare/2.0.4", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "sethmichaellarson@gmail.com", - "name": "Seth Michael Larson", - "username": "sethmlarson" + "email": "64815328+Eutropios@users.noreply.github.com", + "name": "Noah Jenner", + "username": "Eutropios" }, "committer": { "email": "noreply@github.com", @@ -72,11 +72,11 @@ "username": "web-flow" }, "distinct": true, - "id": "92196a0f08b2c2139117546ccfbdd3429eb72469", - "message": "Release 2.0.3", - "timestamp": "2023-06-07T12:13:12+02:00", - "tree_id": "cffe7d9ddbff2e682cded4c146687767b561c5a9", - "url": "https://github.com/urllib3/urllib3/commit/92196a0f08b2c2139117546ccfbdd3429eb72469" + "id": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0", + "message": "Release version 2.0.4 (#3084)\n\nCo-authored-by: Illia Volochii ", + "timestamp": "2023-07-19T17:46:02+03:00", + "tree_id": "e61f50347e7bb803a0c8942ba63fe917c8424f77", + "url": "https://github.com/urllib3/urllib3/commit/c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/26825299?v=4", @@ -93,10 +93,10 @@ "url": "https://api.github.com/orgs/urllib3" }, "pusher": { - "email": "quentin.pradet@gmail.com", - "name": "pquentin" + "email": "illia.volochii@gmail.com", + "name": "illia-v" }, - "ref": "refs/tags/2.0.3", + "ref": "refs/tags/2.0.4", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/urllib3/urllib3/{archive_format}{/ref}", @@ -119,8 +119,8 @@ "downloads_url": "https://api.github.com/repos/urllib3/urllib3/downloads", "events_url": "https://api.github.com/repos/urllib3/urllib3/events", "fork": false, - "forks": 1071, - "forks_count": 1071, + "forks": 1078, + "forks_count": 1078, "forks_url": "https://api.github.com/repos/urllib3/urllib3/forks", "full_name": "urllib3/urllib3", "git_commits_url": "https://api.github.com/repos/urllib3/urllib3/git/commits{/sha}", @@ -159,8 +159,8 @@ "name": "urllib3", "node_id": "MDEwOlJlcG9zaXRvcnkyNDEwNjc2", "notifications_url": "https://api.github.com/repos/urllib3/urllib3/notifications{?since,all,participating}", - "open_issues": 124, - "open_issues_count": 124, + "open_issues": 125, + "open_issues_count": 125, "organization": "urllib3", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/26825299?v=4", @@ -186,12 +186,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/urllib3/urllib3/pulls{/number}", - "pushed_at": 1686132884, + "pushed_at": 1689779927, "releases_url": "https://api.github.com/repos/urllib3/urllib3/releases{/id}", - "size": 7215, + "size": 7242, "ssh_url": "git@github.com:urllib3/urllib3.git", - "stargazers": 3419, - "stargazers_count": 3419, + "stargazers": 3452, + "stargazers_count": 3452, "stargazers_url": "https://api.github.com/repos/urllib3/urllib3/stargazers", "statuses_url": "https://api.github.com/repos/urllib3/urllib3/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/urllib3/urllib3/subscribers", @@ -206,48 +206,48 @@ "urllib3" ], "trees_url": "https://api.github.com/repos/urllib3/urllib3/git/trees{/sha}", - "updated_at": "2023-06-07T06:42:49Z", + "updated_at": "2023-07-19T02:19:14Z", "url": "https://github.com/urllib3/urllib3", "visibility": "public", - "watchers": 3419, - "watchers_count": 3419, + "watchers": 3452, + "watchers_count": 3452, "web_commit_signoff_required": false }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/42327?v=4", - "events_url": "https://api.github.com/users/pquentin/events{/privacy}", - "followers_url": "https://api.github.com/users/pquentin/followers", - "following_url": "https://api.github.com/users/pquentin/following{/other_user}", - "gists_url": "https://api.github.com/users/pquentin/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/17710133?v=4", + "events_url": "https://api.github.com/users/illia-v/events{/privacy}", + "followers_url": "https://api.github.com/users/illia-v/followers", + "following_url": "https://api.github.com/users/illia-v/following{/other_user}", + "gists_url": "https://api.github.com/users/illia-v/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/pquentin", - "id": 42327, - "login": "pquentin", - "node_id": "MDQ6VXNlcjQyMzI3", - "organizations_url": "https://api.github.com/users/pquentin/orgs", - "received_events_url": "https://api.github.com/users/pquentin/received_events", - "repos_url": "https://api.github.com/users/pquentin/repos", + "html_url": "https://github.com/illia-v", + "id": 17710133, + "login": "illia-v", + "node_id": "MDQ6VXNlcjE3NzEwMTMz", + "organizations_url": "https://api.github.com/users/illia-v/orgs", + "received_events_url": "https://api.github.com/users/illia-v/received_events", + "repos_url": "https://api.github.com/users/illia-v/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/pquentin/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/pquentin/subscriptions", + "starred_url": "https://api.github.com/users/illia-v/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/illia-v/subscriptions", "type": "User", - "url": "https://api.github.com/users/pquentin" + "url": "https://api.github.com/users/illia-v" } }, "github_head_ref": "", - "github_ref": "refs/tags/2.0.3", + "github_ref": "refs/tags/2.0.4", "github_ref_type": "tag", "github_repository_id": "2410676", "github_repository_owner": "urllib3", "github_repository_owner_id": "26825299", "github_run_attempt": "1", - "github_run_id": "5198755918", - "github_run_number": "19", - "github_sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "github_run_id": "5600993171", + "github_run_number": "21", + "github_sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" } }, "metadata": { - "buildInvocationID": "5198755918-1", + "buildInvocationID": "5600993171-1", "completeness": { "parameters": true, "environment": false, @@ -257,9 +257,9 @@ }, "materials": [ { - "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.3", + "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.4", "digest": { - "sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" } } ] @@ -271,7 +271,7 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 2, + "FAILED": 3, "PASSED": 6, "SKIPPED": 0, "UNKNOWN": 1 @@ -352,10 +352,34 @@ ], "justification": [ "Successfully verified level 3: ", - "verify passed : urllib3-2.0.3-py3-none-any.whl,verify passed : urllib3-2.0.3.tar.gz" + "verify passed : urllib3-2.0.4-py3-none-any.whl,verify passed : urllib3-2.0.4.tar.gz" ], "result_type": "PASSED" }, + { + "check_id": "mcn_version_control_system_1", + "check_description": "Check whether the target repo uses a version control system.", + "slsa_requirements": [ + "Version controlled - SLSA Level 2" + ], + "justification": [ + { + "This is a Git repository": "https://github.com/urllib3/urllib3" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_witness_level_one_1", "check_description": "Check whether the target has a level-1 witness provenance.", @@ -370,19 +394,6 @@ ], "result_type": "FAILED" }, - { - "check_id": "mcn_version_control_system_1", - "check_description": "Check whether the target repo uses a version control system.", - "slsa_requirements": [ - "Version controlled - SLSA Level 2" - ], - "justification": [ - { - "This is a Git repository": "https://github.com/urllib3/urllib3" - } - ], - "result_type": "PASSED" - }, { "check_id": "mcn_trusted_builder_level_three_1", "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", @@ -408,10 +419,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -435,10 +454,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/slsa_analyzer/checks/test_build_as_code_check.py b/tests/slsa_analyzer/checks/test_build_as_code_check.py index 653e69abf..f07dc45ac 100644 --- a/tests/slsa_analyzer/checks/test_build_as_code_check.py +++ b/tests/slsa_analyzer/checks/test_build_as_code_check.py @@ -42,7 +42,14 @@ def test_build_as_code_check( """Test the Build As Code Check.""" check = BuildAsCodeCheck() check_result = CheckResult(justification=[], result_tables=[]) # type: ignore - bash_commands = BashCommands(caller_path="source_file", CI_path="ci_file", CI_type="github_actions", commands=[[]]) + bash_commands = BashCommands( + caller_path="source_file", + CI_path="ci_file", + CI_type="github_actions", + commands=[[]], + job_name="job", + step_name="step", + ) ci_info = CIInfo( service=github_actions_service, bash_commands=[bash_commands], @@ -302,6 +309,8 @@ def test_multibuild_facts_saved( CI_path="ci_file", CI_type="github_actions", commands=[["./gradlew", "publishToSonatype"], ["mvn", "deploy"]], + job_name="job", + step_name="step", ) check_result = CheckResult(justification=[], result_tables=[]) # type: ignore ci_info = CIInfo( diff --git a/tests/slsa_analyzer/checks/test_build_service_check.py b/tests/slsa_analyzer/checks/test_build_service_check.py index c615c019e..c633f01d5 100644 --- a/tests/slsa_analyzer/checks/test_build_service_check.py +++ b/tests/slsa_analyzer/checks/test_build_service_check.py @@ -58,7 +58,12 @@ def test_build_service_check(self) -> None: gitlab_ci.load_defaults() bash_commands = BashCommands( - caller_path="source_file", CI_path="ci_file", CI_type="github_actions", commands=[[]] + caller_path="source_file", + CI_path="ci_file", + CI_type="github_actions", + commands=[[]], + job_name="job", + step_name="step", ) ci_info = CIInfo( service=github_actions, @@ -244,6 +249,8 @@ def test_multibuild_facts_saved(self) -> None: CI_path="ci_file", CI_type="github_actions", commands=[["./gradlew", "build"], ["mvn", "package"]], + job_name="job", + step_name="step", ) ci_info = CIInfo( service=github_actions, diff --git a/tests/slsa_analyzer/checks/test_infer_artifact_pipeline.py b/tests/slsa_analyzer/checks/test_infer_artifact_pipeline.py new file mode 100644 index 000000000..923b8c7c7 --- /dev/null +++ b/tests/slsa_analyzer/checks/test_infer_artifact_pipeline.py @@ -0,0 +1,31 @@ +# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""This module contains tests for the Infer ArtiFact Pipeline check.""" + +from pathlib import Path + +import pytest + +from macaron.database.table_definitions import Repository +from macaron.slsa_analyzer.checks.check_result import CheckResult, CheckResultType +from macaron.slsa_analyzer.checks.infer_artifact_pipeline_check import InferArtifactPipelineCheck +from tests.conftest import MockAnalyzeContext + + +@pytest.mark.parametrize( + ("repository", "expected"), + [ + (None, CheckResultType.FAILED), + (Repository(complete_name="github.com/package-url/purl-spec"), CheckResultType.FAILED), + ], +) +def test_infer_artifact_pipeline(macaron_path: Path, repository: Repository, expected: str) -> None: + """Test that the check handles repositories correctly.""" + check = InferArtifactPipelineCheck() + check_result = CheckResult(justification=[]) # type: ignore + + # Set up the context object with provenances. + ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="") + ctx.component.repository = repository + assert check.run_check(ctx, check_result) == expected