From 13206e56463f51ccd98415ec9c249688c70ccdff Mon Sep 17 00:00:00 2001 From: Behnaz Hassanshahi Date: Wed, 13 Sep 2023 17:14:49 +1000 Subject: [PATCH] feat: add a new check to map artifacts to pipelines (#471) This PR adds a new check, `mcn_infer_artifact_pipeline_1` to detect a potential pipeline from which an artifact is published. When a verifiable provenance is found for an artifact, the result of this check can be discarded. Otherwise, we check whether a CI workflow run has automatically published the artifact. This check supports Maven artifacts built using Gradle or Maven and published on Maven Central only. Support for other registries and ecosystems will be added in the future. Signed-off-by: behnazh-w --- docs/source/index.rst | 3 + .../apidoc/macaron.slsa_analyzer.checks.rst | 8 + ...macaron.slsa_analyzer.package_registry.rst | 8 + .../pages/supported_technologies/index.rst | 4 + .../supported_technologies/maven_central.rst | 6 + scripts/dev_scripts/integration_tests.sh | 10 + src/macaron/config/defaults.ini | 12 +- src/macaron/dependency_analyzer/cyclonedx.py | 1 + .../dependency_resolver.py | 2 + src/macaron/errors.py | 4 + src/macaron/parsers/bashparser.py | 21 +- .../checks/build_as_code_check.py | 6 +- .../checks/infer_artifact_pipeline_check.py | 209 +++++ .../ci_service/base_ci_service.py | 38 + .../ci_service/github_actions.py | 115 ++- .../slsa_analyzer/git_service/api_client.py | 73 ++ .../package_registry/__init__.py | 3 +- .../maven_central_registry.py | 181 +++++ .../specs/inferred_provenance.py | 14 +- src/macaron/util.py | 8 +- .../__snapshots__/test_cyclonedx.ambr | 158 ++++ .../apache_maven_with_sbom_provided.json | 40 +- .../cyclonedx_apache_maven.json | 124 +-- .../cyclonedx_timyarkov_multibuild_test.json | 6 +- .../test_dependency_analyzer.py | 10 +- .../docker_test/docker_test.json | 40 +- .../jackson-databind/jackson-databind.json | 40 +- tests/e2e/expected_results/maven/guava.json | 35 +- tests/e2e/expected_results/maven/maven.json | 67 +- tests/e2e/expected_results/maven/mockito.json | 35 +- .../micronaut-core/caffeine.json | 43 +- .../micronaut-core/micronaut-core.json | 22 +- .../micronaut-core/slf4j.json | 35 +- .../multibuild_test/multibuild_test.json | 61 +- .../plot-plugin/plot-plugin.json | 40 +- .../purl/com_google_guava/guava/guava.json | 255 ++++++ .../expected_results/purl/maven/maven.json | 48 +- .../slsa-verifier/slsa-verifier_cue_PASS.json | 727 +++++++++--------- .../tinyMediaManager/tinyMediaManager.json | 50 +- .../e2e/expected_results/urllib3/urllib3.json | 165 ++-- .../urllib3/urllib3_cue_invalid.json | 165 ++-- .../checks/test_build_as_code_check.py | 11 +- .../checks/test_build_service_check.py | 9 +- .../checks/test_infer_artifact_pipeline.py | 31 + 44 files changed, 2191 insertions(+), 752 deletions(-) create mode 100644 docs/source/pages/supported_technologies/maven_central.rst create mode 100644 src/macaron/slsa_analyzer/checks/infer_artifact_pipeline_check.py create mode 100644 src/macaron/slsa_analyzer/package_registry/maven_central_registry.py create mode 100644 tests/e2e/expected_results/purl/com_google_guava/guava/guava.json create mode 100644 tests/slsa_analyzer/checks/test_infer_artifact_pipeline.py diff --git a/docs/source/index.rst b/docs/source/index.rst index 87d1ea5c5..b1a531414 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -74,6 +74,9 @@ the requirements that are currently supported by Macaron. * - 3 - **Build as code** - If a trusted builder is not present, this requirement determines that the build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system. - Identify and validate the CI service(s) used to build and deploy/publish an artifact. + * - 3 + - **Infer artifact publish pipeline** - When a provenance is not available, checks whether a CI workflow run has automatically published the artifact. + - Identify a workflow run that has triggered the deploy step determined by the ``Build as code`` check. * - 3 - **Provenance Level three** - Check whether the target has SLSA provenance level 3. - Use the `slsa-verifier `_ to attest to the subjects in the SLSA provenance that accompanies an artifact. diff --git a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst index c059b397b..7d47e7260 100644 --- a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst +++ b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.checks.rst @@ -49,6 +49,14 @@ macaron.slsa\_analyzer.checks.check\_result module :undoc-members: :show-inheritance: +macaron.slsa\_analyzer.checks.infer\_artifact\_pipeline\_check module +--------------------------------------------------------------------- + +.. automodule:: macaron.slsa_analyzer.checks.infer_artifact_pipeline_check + :members: + :undoc-members: + :show-inheritance: + macaron.slsa\_analyzer.checks.provenance\_available\_check module ----------------------------------------------------------------- diff --git a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.package_registry.rst b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.package_registry.rst index 86b11540b..ec97303d1 100644 --- a/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.package_registry.rst +++ b/docs/source/pages/developers_guide/apidoc/macaron.slsa_analyzer.package_registry.rst @@ -17,6 +17,14 @@ macaron.slsa\_analyzer.package\_registry.jfrog\_maven\_registry module :undoc-members: :show-inheritance: +macaron.slsa\_analyzer.package\_registry.maven\_central\_registry module +------------------------------------------------------------------------ + +.. automodule:: macaron.slsa_analyzer.package_registry.maven_central_registry + :members: + :undoc-members: + :show-inheritance: + macaron.slsa\_analyzer.package\_registry.package\_registry module ----------------------------------------------------------------- diff --git a/docs/source/pages/supported_technologies/index.rst b/docs/source/pages/supported_technologies/index.rst index f8c0a635b..fd263bd0a 100644 --- a/docs/source/pages/supported_technologies/index.rst +++ b/docs/source/pages/supported_technologies/index.rst @@ -41,6 +41,9 @@ Package Registries * - `JFrog Artifactory `_ - Only projects built with Gradle and publishing to a JFrog Artifactory repo following `Maven layout `_ - :doc:`page ` + * - `Maven Central Artifactory `_ + - Only projects built with Gradle or Maven and published to the Maven Central Artifactory. + - :doc:`page ` ----------- Provenances @@ -70,3 +73,4 @@ See also jfrog witness + maven_central diff --git a/docs/source/pages/supported_technologies/maven_central.rst b/docs/source/pages/supported_technologies/maven_central.rst new file mode 100644 index 000000000..4b3f0f5d6 --- /dev/null +++ b/docs/source/pages/supported_technologies/maven_central.rst @@ -0,0 +1,6 @@ +.. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +============= +Maven Central +============= diff --git a/scripts/dev_scripts/integration_tests.sh b/scripts/dev_scripts/integration_tests.sh index 11fdb61dc..78cd2689c 100755 --- a/scripts/dev_scripts/integration_tests.sh +++ b/scripts/dev_scripts/integration_tests.sh @@ -267,6 +267,16 @@ python $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail # python $COMPARE_DEPS $DEP_RESULT $DEP_EXPECTED || log_fail +echo -e "\n----------------------------------------------------------------------------------" +echo "google/guava: Analyzing with PURL and repository path without dependency resolution." +echo -e "----------------------------------------------------------------------------------\n" +JSON_EXPECTED=$WORKSPACE/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json +JSON_RESULT=$WORKSPACE/output/reports/maven/com_google_guava/guava/guava.json +$RUN_MACARON analyze -purl pkg:maven/com.google.guava/guava@32.1.2-jre?type=jar -rp https://github.com/google/guava -b master -d d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4 --skip-deps || log_fail + +python $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail + + # Running Macaron using local paths. echo -e "\n==================================================================================" echo "Run integration tests with local paths for apache/maven..." diff --git a/src/macaron/config/defaults.ini b/src/macaron/config/defaults.ini index 7170394e5..5710a19b8 100644 --- a/src/macaron/config/defaults.ini +++ b/src/macaron/config/defaults.ini @@ -375,10 +375,20 @@ predicate_types = https://witness.testifysec.com/attestation-collection/v0.1 artifact_extensions = jar - # Package registries. +[package_registry] +# The allowed time range (in seconds) from a deploy workflow run start time to publish time. +publish_time_range = 3600 + # [package_registry.jfrog.maven] # In this example, the Maven repo can be accessed at `https://internal.registry.org/repo-name`. # hostname = internal.registry.org # repo = repo-name # download_timeout = 120 + +[package_registry.maven_central] +# Maven Central host name. +hostname = search.maven.org +# The search REST API. See https://central.sonatype.org/search/rest-api-guide/ +search_endpoint = solrsearch/select +request_timeout = 20 diff --git a/src/macaron/dependency_analyzer/cyclonedx.py b/src/macaron/dependency_analyzer/cyclonedx.py index 386624370..61d2e924f 100644 --- a/src/macaron/dependency_analyzer/cyclonedx.py +++ b/src/macaron/dependency_analyzer/cyclonedx.py @@ -174,6 +174,7 @@ def convert_components_to_artifacts( version=component.get("version") or "", group=component.get("group") or "", name=component.get("name") or "", + purl=component.get("purl") or "", url="", note="", available=SCMStatus.AVAILABLE, diff --git a/src/macaron/dependency_analyzer/dependency_resolver.py b/src/macaron/dependency_analyzer/dependency_resolver.py index 9fa742eb0..1a16d3f49 100644 --- a/src/macaron/dependency_analyzer/dependency_resolver.py +++ b/src/macaron/dependency_analyzer/dependency_resolver.py @@ -34,6 +34,7 @@ class DependencyInfo(TypedDict): version: str group: str name: str + purl: str url: str note: str available: SCMStatus @@ -262,6 +263,7 @@ def merge_configs( Configuration( { "id": key, + "purl": value.get("purl"), "path": value.get("url"), "branch": "", "digest": "", diff --git a/src/macaron/errors.py b/src/macaron/errors.py index 26ee534b4..7847c1b38 100644 --- a/src/macaron/errors.py +++ b/src/macaron/errors.py @@ -50,3 +50,7 @@ class InvalidPURLError(MacaronError): class DuplicateError(MacaronError): """The class for errors for duplicated data.""" + + +class InvalidHTTPResponseError(MacaronError): + """Happens when the HTTP response is invalid or unexpected.""" diff --git a/src/macaron/parsers/bashparser.py b/src/macaron/parsers/bashparser.py index fe7266799..ce6acc194 100644 --- a/src/macaron/parsers/bashparser.py +++ b/src/macaron/parsers/bashparser.py @@ -33,6 +33,10 @@ class BashCommands(TypedDict): """CI service type.""" commands: list[list[str]] """Parsed bash commands.""" + job_name: str + """The name of the job where commands were called.""" + step_name: str + """The name of the step where commands were called.""" def parse_file(file_path: str, macaron_path: str = "") -> dict: @@ -119,6 +123,8 @@ def extract_bash_from_ci( recursive: bool = False, repo_path: str = "", working_dir: str = "", + job_name: str = "", + step_name: str = "", ) -> Iterable[BashCommands]: """Parse the bash scripts triggered from CI. @@ -140,6 +146,10 @@ def extract_bash_from_ci( working_dir : str The working directory from which the bash script has run. Empty value is considered as the root of the repo. + job_name: str + The name of the job where commands were called. + step_name: str + The name of the step where commands were called. Yields ------ @@ -152,7 +162,14 @@ def extract_bash_from_ci( parsed_parent = parse(bash_content) caller_commands = parsed_parent.get("commands", []) if caller_commands: - yield BashCommands(caller_path=ci_file, CI_path=ci_file, CI_type=ci_type, commands=caller_commands) + yield BashCommands( + caller_path=ci_file, + CI_path=ci_file, + CI_type=ci_type, + commands=caller_commands, + job_name=job_name, + step_name=step_name, + ) # Parse the bash script files called from the current script. if recursive and repo_path: @@ -170,4 +187,6 @@ def extract_bash_from_ci( CI_path=ci_file, CI_type=ci_type, commands=callee_commands, + job_name=job_name, + step_name=step_name, ) diff --git a/src/macaron/slsa_analyzer/checks/build_as_code_check.py b/src/macaron/slsa_analyzer/checks/build_as_code_check.py index e9692ee7b..959c9974e 100644 --- a/src/macaron/slsa_analyzer/checks/build_as_code_check.py +++ b/src/macaron/slsa_analyzer/checks/build_as_code_check.py @@ -188,7 +188,7 @@ def _check_build_tool( ctx.component.repository.branch_name, ctx.component.repository.commit_sha, ctx.component.repository.commit_date, - os.path.basename(callee.caller_path), + callee.caller_path, ) # TODO: include in the justification multiple cases of external action usage @@ -253,7 +253,7 @@ def _check_build_tool( ctx.component.repository.branch_name, ctx.component.repository.commit_sha, ctx.component.repository.commit_date, - os.path.basename(bash_cmd["CI_path"]), + bash_cmd["CI_path"], ) justification_cmd: list[str | dict[str, str]] = [ @@ -283,6 +283,8 @@ def _check_build_tool( "sha1" ] = ctx.component.repository.commit_sha predicate["invocation"]["configSource"]["entryPoint"] = trigger_link + predicate["buildConfig"]["jobID"] = bash_cmd["job_name"] + predicate["buildConfig"]["stepID"] = bash_cmd["step_name"] predicate["metadata"]["buildInvocationId"] = html_url check_result["result_tables"].append( BuildAsCodeFacts( diff --git a/src/macaron/slsa_analyzer/checks/infer_artifact_pipeline_check.py b/src/macaron/slsa_analyzer/checks/infer_artifact_pipeline_check.py new file mode 100644 index 000000000..4a30e6271 --- /dev/null +++ b/src/macaron/slsa_analyzer/checks/infer_artifact_pipeline_check.py @@ -0,0 +1,209 @@ +# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""This module contains the InferArtifactPipelineCheck class to check if an artifact is published from a pipeline automatically.""" + +import logging + +from sqlalchemy import ForeignKey +from sqlalchemy.orm import Mapped, mapped_column +from sqlalchemy.sql.sqltypes import String + +from macaron.config.defaults import defaults +from macaron.database.table_definitions import CheckFacts +from macaron.errors import InvalidHTTPResponseError +from macaron.slsa_analyzer.analyze_context import AnalyzeContext +from macaron.slsa_analyzer.build_tool.gradle import Gradle +from macaron.slsa_analyzer.build_tool.maven import Maven +from macaron.slsa_analyzer.checks.base_check import BaseCheck +from macaron.slsa_analyzer.checks.check_result import CheckResult, CheckResultType +from macaron.slsa_analyzer.ci_service.base_ci_service import NoneCIService +from macaron.slsa_analyzer.package_registry.maven_central_registry import MavenCentralRegistry +from macaron.slsa_analyzer.provenance.intoto import InTotoV01Payload +from macaron.slsa_analyzer.registry import registry +from macaron.slsa_analyzer.slsa_req import ReqName +from macaron.slsa_analyzer.specs.package_registry_spec import PackageRegistryInfo + +logger: logging.Logger = logging.getLogger(__name__) + + +class InferArtifactPipelineFacts(CheckFacts): + """The ORM mapping for justifications of the infer_artifact_pipeline check.""" + + __tablename__ = "_infer_artifact_pipeline_check" + + #: The primary key. + id: Mapped[int] = mapped_column(ForeignKey("_check_facts.id"), primary_key=True) # noqa: A003 + + #: The workflow job that triggered deploy. + deploy_job: Mapped[str] = mapped_column(String, nullable=False) + + #: The workflow step that triggered deploy. + deploy_step: Mapped[str] = mapped_column(String, nullable=False) + + #: The workflow run URL. + run_url: Mapped[str] = mapped_column(String, nullable=False) + + __mapper_args__ = { + "polymorphic_identity": "_infer_artifact_pipeline_check", + } + + +class InferArtifactPipelineCheck(BaseCheck): + """This check detects a potential pipeline from which an artifact is published. + + When a verifiable provenance is found for an artifact, the result of this check can be discarded. + Otherwise, we check whether a CI workflow run has automatically published the artifact. + + We use several heuristics in this check: + + * The workflow run should have started before the artifact is published. + * The workflow step that calls a deploy command should have run successfully. + * The workflow step that calls a deploy command should have started before the artifact is published. + + Note: due to a limitation, we cannot specify the provenance checks as parents of this + check because a check cannot have more than one parent in the current design. It would + be good to skip this with a success result if the relevant provenance checks pass in the future. + """ + + def __init__(self) -> None: + """Initialize the InferArtifactPipeline instance.""" + check_id = "mcn_infer_artifact_pipeline_1" + description = "Detects potential pipelines from which an artifact is published." + depends_on = [("mcn_build_as_code_1", CheckResultType.PASSED)] + eval_reqs = [ReqName.BUILD_AS_CODE] + super().__init__( + check_id=check_id, + description=description, + depends_on=depends_on, + eval_reqs=eval_reqs, + result_on_skip=CheckResultType.FAILED, + ) + + def run_check(self, ctx: AnalyzeContext, check_result: CheckResult) -> CheckResultType: + """Implement the check in this method. + + Parameters + ---------- + ctx : AnalyzeContext + The object containing processed data for the target repo. + check_result : CheckResult + The object containing result data of a check. + + Returns + ------- + CheckResultType + The result type of the check (e.g. PASSED). + """ + # This check requires the build_as_code check to pass and a repository to be available. + if not ctx.component.repository: + check_result["justification"] = [ + "Unable to find a potential workflow run for the artifact because no repository is available." + ] + return CheckResultType.FAILED + + # Look for the artifact in the corresponding registry and find the publish timestamp. + artifact_published_date = None + package_registry_info_entries = ctx.dynamic_data["package_registries"] + for package_registry_info_entry in package_registry_info_entries: + match package_registry_info_entry: + # TODO: add package registries for other ecosystems. + case PackageRegistryInfo( + build_tool=Gradle() | Maven(), + package_registry=MavenCentralRegistry() as mvn_central_registry, + ): + group_id = ctx.component.namespace + artifact_id = ctx.component.name + version = ctx.component.version + try: + artifact_published_date = mvn_central_registry.find_publish_timestamp( + group_id, artifact_id, version + ) + except InvalidHTTPResponseError as error: + logger.debug(error) + + # This check requires the artifact publish artifact to proceed. If the timestamp is not + # found, we return with a fail result. + if not artifact_published_date: + check_result["justification"] = ["Unable to find a publishing timestamp for the artifact."] + return CheckResultType.FAILED + + # Obtain the metadata inferred by the build_as_code check, which is stored in the `provenances` + # attribute of the corresponding CI service. + ci_services = ctx.dynamic_data["ci_services"] + for ci_info in ci_services: + ci_service = ci_info["service"] + # Checking if a CI service is discovered for this repo. + if isinstance(ci_service, NoneCIService): + continue + + if ctx.dynamic_data["is_inferred_prov"] and ci_info["provenances"]: + for inferred_prov in ci_info["provenances"]: + # Skip processing the inferred provenance if it does not conform with the in-toto v0.1 specification. + if not isinstance(inferred_prov, InTotoV01Payload): + continue + + # This check requires the job and step calling the deploy command. + # Validate the content of inferred_prov. + predicate = inferred_prov.statement["predicate"] + if ( + not predicate + or not isinstance(predicate["invocation"], dict) + or "configSource" not in predicate["invocation"] + or not isinstance(predicate["invocation"]["configSource"], dict) + or "entryPoint" not in predicate["invocation"]["configSource"] + or not isinstance(predicate["invocation"]["configSource"]["entryPoint"], str) + ): + continue + if ( + not isinstance(predicate["buildConfig"], dict) + or "jobID" not in predicate["buildConfig"] + or not isinstance(predicate["buildConfig"]["jobID"], str) + or "stepID" not in predicate["buildConfig"] + or not isinstance(predicate["buildConfig"]["stepID"], str) + ): + continue + try: + publish_time_range = defaults.getint("package_registries", "publish_time_range", fallback=3600) + except ValueError as error: + logger.error( + "Configuration error: publish_time_range in section of package_registries is not a valid integer %s.", + error, + ) + check_result["justification"] = [ + "Unable to find a potential workflow run for the artifact due to configuration issues." + ] + return CheckResultType.FAILED + + # Find the potential workflow runs. + if html_urls := ci_service.workflow_run_in_date_time_range( + repo_full_name=ctx.component.repository.full_name, + workflow=predicate["invocation"]["configSource"]["entryPoint"], + date_time=artifact_published_date, + step_name=predicate["buildConfig"]["stepID"], + time_range=publish_time_range, + ): + for html_url in html_urls: + justification: list[str | dict[str, str]] = [ + { + f"The artifact is potentially published by workflow" + f" job '{predicate['buildConfig']['jobID']}' at" + f" step '{predicate['buildConfig']['stepID']}' " + "triggered by": html_url, + }, + ] + check_result["justification"].extend(justification) + check_result["result_tables"].append( + InferArtifactPipelineFacts( + deploy_job=predicate["buildConfig"]["jobID"], + deploy_step=predicate["buildConfig"]["stepID"], + run_url=html_url, + ) + ) + return CheckResultType.PASSED + + check_result["justification"] = ["Unable to find a potential workflow run for the artifact."] + return CheckResultType.FAILED + + +registry.register(InferArtifactPipelineCheck()) diff --git a/src/macaron/slsa_analyzer/ci_service/base_ci_service.py b/src/macaron/slsa_analyzer/ci_service/base_ci_service.py index 6106dafb3..15f3d0799 100644 --- a/src/macaron/slsa_analyzer/ci_service/base_ci_service.py +++ b/src/macaron/slsa_analyzer/ci_service/base_ci_service.py @@ -7,6 +7,7 @@ import os from abc import abstractmethod from collections.abc import Iterable +from datetime import datetime from macaron.code_analyzer.call_graph import BaseNode, CallGraph from macaron.parsers.bashparser import BashCommands @@ -195,6 +196,43 @@ def has_latest_run_passed( """ raise NotImplementedError + # pylint: disable=unused-argument + def workflow_run_in_date_time_range( + self, + repo_full_name: str, + workflow: str, + date_time: datetime, + step_name: str, + time_range: int = 0, + ) -> set[str]: + """Check if the repository has a workflow run started before the date_time timestamp within the time_range. + + - This method queries the list of workflow runs using the GitHub API for the provided repository full name. + - It will filter out the runs that are not triggered by the given workflow. + - It will only accept the runs that from `date_time - time_range` to `date_time`. + - If a `step_name` is provided, checks that it has started before the `date_time` and has succeeded. + + Parameters + ---------- + repo_full_name : str + The target repo's full name. + workflow : str + The workflow URL. + date_time: datetime + The datetime object to query. + step_name: str + The step in the GitHub Action workflow that needs to be checked. + time_range: int + The date-time range in seconds. The default value is 0. + For example a 30 seconds range for 2022-11-05T20:30 is 2022-11-05T20:15..2022-11-05T20:45. + + Returns + ------- + set[str] + The set of URLs found for the workflow within the time range. + """ + return set() + class NoneCIService(BaseCIService): """This class can be used to initialize an empty CI service.""" diff --git a/src/macaron/slsa_analyzer/ci_service/github_actions.py b/src/macaron/slsa_analyzer/ci_service/github_actions.py index 011a273a8..4e63a4ef2 100644 --- a/src/macaron/slsa_analyzer/ci_service/github_actions.py +++ b/src/macaron/slsa_analyzer/ci_service/github_actions.py @@ -7,7 +7,7 @@ import logging import os from collections.abc import Iterable -from datetime import datetime, timezone +from datetime import datetime, timedelta, timezone from enum import Enum from macaron.code_analyzer.call_graph import BaseNode, CallGraph @@ -289,6 +289,8 @@ def extract_all_bash(self, callgraph: CallGraph, macaron_path: str = "") -> Iter recursive=True, repo_path=callgraph.repo_path, working_dir=step["Exec"]["WorkingDirectory"] or "", + job_name=job.get("ID")["Value"] if job.get("ID") else "", + step_name=step.get("Name")["Value"] if step.get("Name") else "", ) def has_latest_run_passed( @@ -410,6 +412,117 @@ def has_latest_run_passed( return "" + def workflow_run_in_date_time_range( + self, + repo_full_name: str, + workflow: str, + date_time: datetime, + step_name: str, + time_range: int = 0, + ) -> set[str]: + """Check if the repository has a workflow run started before the date_time timestamp within the time_range. + + - This method queries the list of workflow runs using the GitHub API for the provided repository full name. + - It will filter out the runs that are not triggered by the given workflow. + - It will only accept the runs that from `date_time - time_range` to `date_time`. + - If a `step_name` is provided, checks that it has started before the `date_time` and has succeeded. + + Parameters + ---------- + repo_full_name : str + The target repo's full name. + workflow : str + The workflow URL. + date_time: datetime + The datetime object to query. + step_name: str + The step in the GitHub Action workflow that needs to be checked. + time_range: int + The date-time range in seconds. The default value is 0. + For example a 30 seconds range for 2022-11-05T20:30 is 2022-11-05T20:15..2022-11-05T20:45. + + Returns + ------- + set[str] + The set of URLs found for the workflow within the time range. + """ + logger.debug( + "Getting the latest workflow run of %s at %s within time range %s", + workflow, + str(date_time), + str(time_range), + ) + + html_urls: set[str] = set() + try: + datetime_from = date_time - timedelta(seconds=time_range) + except (OverflowError, OSError, TypeError) as error: + logger.debug(error) + return html_urls + + # Perform the search. + logger.debug("Search for the workflow runs within the range.") + try: + run_data = self.api_client.get_workflow_run_for_date_time_range( + repo_full_name, f"{datetime_from.isoformat()}..{date_time.isoformat()}" + ) + except ValueError as error: + logger.debug(error) + return html_urls + + if not run_data: + logger.debug("Unable to find any run data for the workflow %s", workflow) + return html_urls + + logger.debug("Checking workflow run of %s.", workflow) + try: + # iterate through the responses in reversed order to add the run + # closest to the `date_time - time_range` timestamp first. + for item in reversed(run_data["workflow_runs"]): + # The workflow parameter contains the URL to the workflow. + # So we need to check that item["path"] is a substring of it. + if item["path"] in workflow: + run_jobs = self.api_client.get_workflow_run_jobs(repo_full_name, item["id"]) + if not run_jobs: + continue + + # Find the matching step and check its `conclusion` and `started_at` attributes. + for job in run_jobs["jobs"]: + for step in job["steps"]: + if step["name"] != step_name or step["conclusion"] != "success": + continue + try: + if datetime.fromisoformat(step["started_at"]) < date_time: + run_id: str = item["id"] + html_url: str = item["html_url"] + logger.info( + "The workflow run status of %s (id = %s, url = %s, step = %s) is %s.", + workflow, + run_id, + html_url, + step["name"], + step["conclusion"], + ) + html_urls.add(html_url) + else: + logger.debug( + "The workflow start run %s happened after %s with status %s.", + datetime.fromisoformat(step["started_at"]), + date_time, + step["conclusion"], + ) + # Handle errors for calls to `fromisoformat()` and the time comparison. + except (ValueError, OverflowError, OSError, TypeError) as error: + logger.debug(error) + except KeyError as key_error: + logger.debug( + "Unable to read data of %s from the GitHub API result. Error: %s", + workflow, + str(key_error), + ) + + return html_urls + def search_for_workflow_run( self, workflow_id: str, diff --git a/src/macaron/slsa_analyzer/git_service/api_client.py b/src/macaron/slsa_analyzer/git_service/api_client.py index de90498b4..5ac0f0cd4 100644 --- a/src/macaron/slsa_analyzer/git_service/api_client.py +++ b/src/macaron/slsa_analyzer/git_service/api_client.py @@ -264,6 +264,79 @@ def get_workflow_runs(self, full_name: str, branch_name: str, created_after: str return response_data + def get_workflow_run_jobs(self, full_name: str, run_id: str) -> dict: + """Query the GitHub REST API for the workflow run jobs. + + The url would be in the following form: + ``https://api.github/com/repos/{full_name}/actions/runs//jobs`` + + Parameters + ---------- + full_name : str + The full name of the target repo in the form ``owner/repo``. + run_id : str + The target workflow run ID. + + Returns + ------- + dict + The json query result or an empty dict if failed. + + Examples + -------- + The following call to this method will perform a query to + ``https://api.github/com/repos/{full_name}/ + actions/runs//jobs`` + + >>> gh_client.get_workflow_run_jobs( + full_name="owner/repo", + run_id= + ) + """ + logger.debug("Query GitHub to get run jobs for %s with run ID %s", full_name, run_id) + + url = f"{GhAPIClient._REPO_END_POINT}/{full_name}/actions/runs/{run_id}/jobs" + response_data = send_get_http(url, self.headers) + + return response_data + + def get_workflow_run_for_date_time_range(self, full_name: str, datetime_range: str) -> dict: + """Query the GitHub REST API for the workflow run within a datetime range. + + The url would be in the following form: + ``https://api.github.com/repos/{full_name}/actions/runs?create=datetime-range`` + + Parameters + ---------- + full_name : str + The full name of the target repo in the form ``owner/repo``. + datetime_range : str + The datetime range to query. + + Returns + ------- + dict + The json query result or an empty dict if failed. + + Examples + -------- + The following call to this method will perform a query to + ``https://api.github/com/repos/owner/repo/actions/runs?created=2022-11-05T20:38:40..2022-11-05T20:38:58`` + + >>> e.g., gh_client.get_workflow_run_for_date_time_range( + full_name="owner/repo", + created=2022-11-05T20:38:40..2022-11-05T20:38:58 + ) + """ + logger.debug("Query GitHub to get run details for %s at %s", full_name, datetime_range) + query_params = {"created": datetime_range} + + encoded_params = construct_query(query_params) + url = f"{GhAPIClient._REPO_END_POINT}/{full_name}/actions/runs?" + encoded_params + response_data = send_get_http(url, self.headers) + + return response_data + def get_commit_data_from_hash(self, full_name: str, commit_hash: str) -> dict: """Query the GitHub API for the data of a commit using the hash for that commit. diff --git a/src/macaron/slsa_analyzer/package_registry/__init__.py b/src/macaron/slsa_analyzer/package_registry/__init__.py index 14dedf1a1..1c073063a 100644 --- a/src/macaron/slsa_analyzer/package_registry/__init__.py +++ b/src/macaron/slsa_analyzer/package_registry/__init__.py @@ -4,6 +4,7 @@ """This module defines the package registries.""" from macaron.slsa_analyzer.package_registry.jfrog_maven_registry import JFrogMavenRegistry +from macaron.slsa_analyzer.package_registry.maven_central_registry import MavenCentralRegistry from macaron.slsa_analyzer.package_registry.package_registry import PackageRegistry -PACKAGE_REGISTRIES: list[PackageRegistry] = [JFrogMavenRegistry()] +PACKAGE_REGISTRIES: list[PackageRegistry] = [JFrogMavenRegistry(), MavenCentralRegistry()] diff --git a/src/macaron/slsa_analyzer/package_registry/maven_central_registry.py b/src/macaron/slsa_analyzer/package_registry/maven_central_registry.py new file mode 100644 index 000000000..cf550505a --- /dev/null +++ b/src/macaron/slsa_analyzer/package_registry/maven_central_registry.py @@ -0,0 +1,181 @@ +# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""The module provides abstractions for the Maven Central package registry.""" + +import logging +from datetime import datetime, timezone +from urllib.parse import SplitResult, urlunsplit + +import requests + +from macaron.config.defaults import defaults +from macaron.errors import ConfigurationError, InvalidHTTPResponseError +from macaron.slsa_analyzer.build_tool.base_build_tool import BaseBuildTool +from macaron.slsa_analyzer.build_tool.gradle import Gradle +from macaron.slsa_analyzer.build_tool.maven import Maven +from macaron.slsa_analyzer.package_registry.package_registry import PackageRegistry +from macaron.util import send_get_http_raw + +logger: logging.Logger = logging.getLogger(__name__) + + +class MavenCentralRegistry(PackageRegistry): + """This class implements a Maven Central package registry.""" + + def __init__( + self, + hostname: str | None = None, + search_endpoint: str | None = None, + request_timeout: int | None = None, + ) -> None: + """ + Initialize a Maven Central Registry instance. + + Parameters + ---------- + hostname : str + The hostname of the JFrog instance. + search_endpoint : str | None + The search REST API to find artifacts. + request_timeout : int | None + The timeout (in seconds) for requests made to the package registry. + """ + self.hostname = hostname or "" + self.search_endpoint = search_endpoint or "" + self.request_timeout = request_timeout or 10 + super().__init__("Maven Central Registry") + + def load_defaults(self) -> None: + """Load the .ini configuration for the current package registry. + + Raises + ------ + ConfigurationError + If there is a schema violation in the ``maven_central`` section. + """ + section_name = "package_registry.maven_central" + if not defaults.has_section(section_name): + return + section = defaults[section_name] + + self.hostname = section.get("hostname") + if not self.hostname: + raise ConfigurationError( + f'The "hostname" key is missing in section [{section_name}] of the .ini configuration file.' + ) + + self.search_endpoint = section.get("search_endpoint") + if not self.search_endpoint: + raise ConfigurationError( + f'The "search_endpoint" key is missing in section [{section_name}] of the .ini configuration file.' + ) + + try: + self.request_timeout = section.getint("request_timeout", fallback=10) + except ValueError as error: + raise ConfigurationError( + f'The "request_timeout" value in section [{section_name}]' + f"of the .ini configuration file is invalid: {error}", + ) from error + + def is_detected(self, build_tool: BaseBuildTool) -> bool: + """Detect if artifacts of the repo under analysis can possibly be published to this package registry. + + The detection here is based on the repo's detected build tools. + If the package registry is compatible with the given build tools, it can be a + possible place where the artifacts produced from the repo are published. + + ``MavenCentralRegistry`` is compatible with Maven and Gradle. + + Parameters + ---------- + build_tool : BaseBuildTool + A detected build tool of the repository under analysis. + + Returns + ------- + bool + ``True`` if the repo under analysis can be published to this package registry, + based on the given build tool. + """ + compatible_build_tool_classes = [Maven, Gradle] + for build_tool_class in compatible_build_tool_classes: + if isinstance(build_tool, build_tool_class): + return True + return False + + def find_publish_timestamp(self, group_id: str, artifact_id: str, version: str | None = None) -> datetime: + """Make a search request to Maven Central to find the publishing timestamp of an artifact. + + If version is not provided, the timestamp of the latest version will be returned. + + To see the search API syntax see: https://central.sonatype.org/search/rest-api-guide/ + + Parameters + ---------- + group_id : str + The group id of the artifact. + artifact_id: str + The artifact id of the artifact. + version: str | None + The version of the artifact. + + Returns + ------- + datetime + The artifact publish timestamp as a timezone-aware datetime object. + + Raises + ------ + InvalidHTTPResponseError + If the HTTP response is invalid or unexpected. + """ + query_params = [f"q=g:{group_id}", f"a:{artifact_id}"] + if version: + query_params.append(f"v:{version}") + + try: + url = urlunsplit( + SplitResult( + scheme="https", + netloc=self.hostname, + path=f"/{self.search_endpoint}", + query="&".join(["+AND+".join(query_params), "core=gav", "rows=1", "wt=json"]), + fragment="", + ) + ) + except ValueError as error: + raise InvalidHTTPResponseError("Failed to construct the search URL for Maven Central.") from error + + response = send_get_http_raw(url, headers=None, timeout=self.request_timeout) + if response and response.status_code == 200: + try: + res_obj = response.json() + except requests.exceptions.JSONDecodeError as error: + raise InvalidHTTPResponseError(f"Failed to process response from Maven central for {url}.") from error + if not res_obj: + raise InvalidHTTPResponseError(f"Empty response returned by {url} .") + if not res_obj.get("response"): + raise InvalidHTTPResponseError(f"The response returned by {url} misses `response` attribute.") + if not res_obj.get("response").get("docs"): + logger.debug("Failed to find the artifact at Maven central: %s.", url) + raise InvalidHTTPResponseError( + f"The response returned by {url} misses `response.docs` attribute or it is empty." + ) + + # We only consider the first ``docs`` element. + timestamp = res_obj.get("response").get("docs")[0].get("timestamp") + if not timestamp: + raise InvalidHTTPResponseError(f"The timestamp is missing in the response returned by {url}.") + + logger.debug("Found timestamp: %s.", timestamp) + + # The timestamp published in Maven Central is in milliseconds and needs to be divided by 1000. + # Unfortunately, this is not documented in the API docs. + try: + return datetime.fromtimestamp(timestamp / 1000, tz=timezone.utc) + except (OverflowError, OSError) as error: + raise InvalidHTTPResponseError(f"The timestamp returned by {url} is invalid") from error + + raise InvalidHTTPResponseError(f"Invalid response from Maven central for {url}.") diff --git a/src/macaron/slsa_analyzer/specs/inferred_provenance.py b/src/macaron/slsa_analyzer/specs/inferred_provenance.py index 70baf5939..6d5bba573 100644 --- a/src/macaron/slsa_analyzer/specs/inferred_provenance.py +++ b/src/macaron/slsa_analyzer/specs/inferred_provenance.py @@ -8,7 +8,11 @@ class Provenance: - """This class implements the inferred SLSA provenance.""" + """This class implements the inferred SLSA provenance. + + This inferred provenance implementation follows the SLSA v0.2 provenance schema. + See https://slsa.dev/spec/v0.2/provenance + """ def __init__(self) -> None: """Initialize instance.""" @@ -24,7 +28,13 @@ def __init__(self) -> None: "parameters": {}, "environment": {}, }, - "buildConfig": {}, + "buildConfig": { + # This is an arbitrary JSON object with a schema defined by buildType. + # We set these fields for GitHubActionsWorkflow buildType. + # Note that some checks might consume these values. + "jobID": "", + "stepID": "", + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", diff --git a/src/macaron/util.py b/src/macaron/util.py index 2db5a3d56..8058759bb 100644 --- a/src/macaron/util.py +++ b/src/macaron/util.py @@ -56,7 +56,7 @@ def send_get_http(url: str, headers: dict) -> dict: return dict(response.json()) -def send_get_http_raw(url: str, headers: dict) -> Response | None: +def send_get_http_raw(url: str, headers: dict | None = None, timeout: int | None = None) -> Response | None: """Send the GET HTTP request with the given url and headers. This method also handle logging when the API server return error status code. @@ -65,8 +65,10 @@ def send_get_http_raw(url: str, headers: dict) -> Response | None: ---------- url : str The url of the request. - headers : dict + headers : dict | None The dict that describes the headers of the request. + timeout: int | None + The request timeout (optional). Returns ------- @@ -75,7 +77,7 @@ def send_get_http_raw(url: str, headers: dict) -> Response | None: """ logger.debug("GET - %s", url) response = requests.get( - url=url, headers=headers, timeout=defaults.getint("requests", "timeout", fallback=10) + url=url, headers=headers, timeout=timeout or defaults.getint("requests", "timeout", fallback=10) ) # nosec B113:request_without_timeout while response.status_code != 200: logger.error( diff --git a/tests/dependency_analyzer/cyclonedx/__snapshots__/test_cyclonedx.ambr b/tests/dependency_analyzer/cyclonedx/__snapshots__/test_cyclonedx.ambr index eba0d360e..4f08850d9 100644 --- a/tests/dependency_analyzer/cyclonedx/__snapshots__/test_cyclonedx.ambr +++ b/tests/dependency_analyzer/cyclonedx/__snapshots__/test_cyclonedx.ambr @@ -6,6 +6,7 @@ 'group': 'ch.qos.logback.contrib', 'name': 'logback-json-classic', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/ch.qos.logback.contrib/logback-json-classic@0.1.5?type=jar', 'url': '', 'version': '0.1.5', }), @@ -14,6 +15,7 @@ 'group': 'ch.qos.logback.contrib', 'name': 'logback-json-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/ch.qos.logback.contrib/logback-json-core@0.1.5?type=jar', 'url': '', 'version': '0.1.5', }), @@ -22,6 +24,7 @@ 'group': 'ch.qos.logback', 'name': 'logback-classic', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar', 'url': '', 'version': '1.2.11', }), @@ -30,6 +33,7 @@ 'group': 'ch.qos.logback', 'name': 'logback-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar', 'url': '', 'version': '1.2.11', }), @@ -38,6 +42,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-core', 'note': 'https://github.com/amzn/alexa-skills-kit-java is already analyzed.', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-core@2.49.0?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '2.49.0', }), @@ -46,6 +51,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-lambda-support', 'note': '', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-lambda-support@2.49.0?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '2.49.0', }), @@ -54,6 +60,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-model', 'note': 'https://github.com/amzn/alexa-skills-kit-java is already analyzed.', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-model@1.43.0?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '1.43.0', }), @@ -62,6 +69,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-model-runtime', 'note': 'https://github.com/amzn/alexa-skills-kit-java is already analyzed.', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-model-runtime@1.0.5?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '1.0.5', }), @@ -70,6 +78,7 @@ 'group': 'com.amazon.alexa', 'name': 'ask-sdk-runtime', 'note': 'https://github.com/amzn/alexa-skills-kit-java is already analyzed.', + 'purl': 'pkg:maven/com.amazon.alexa/ask-sdk-runtime@2.49.0?type=jar', 'url': 'https://github.com/amzn/alexa-skills-kit-java', 'version': '2.49.0', }), @@ -78,6 +87,7 @@ 'group': 'com.amazonaws.serverless', 'name': 'aws-serverless-java-container-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.amazonaws.serverless/aws-serverless-java-container-core@1.9.1?type=jar', 'url': '', 'version': '1.9.1', }), @@ -86,6 +96,7 @@ 'group': 'com.amazonaws', 'name': 'aws-java-sdk-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.amazonaws/aws-java-sdk-core@1.12.382?type=jar', 'url': '', 'version': '1.12.382', }), @@ -94,6 +105,7 @@ 'group': 'com.amazonaws', 'name': 'aws-java-sdk-lambda', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.amazonaws/aws-java-sdk-lambda@1.12.382?type=jar', 'url': '', 'version': '1.12.382', }), @@ -102,6 +114,7 @@ 'group': 'com.amazonaws', 'name': 'aws-lambda-java-core', 'note': '', + 'purl': 'pkg:maven/com.amazonaws/aws-lambda-java-core@1.2.2?type=jar', 'url': 'https://github.com/aws/aws-lambda-java-libs', 'version': '1.2.2', }), @@ -110,6 +123,7 @@ 'group': 'com.amazonaws', 'name': 'aws-lambda-java-events', 'note': 'https://github.com/aws/aws-lambda-java-libs is already analyzed.', + 'purl': 'pkg:maven/com.amazonaws/aws-lambda-java-events@3.11.0?type=jar', 'url': 'https://github.com/aws/aws-lambda-java-libs', 'version': '3.11.0', }), @@ -118,6 +132,7 @@ 'group': 'com.amazonaws', 'name': 'jmespath-java', 'note': '', + 'purl': 'pkg:maven/com.amazonaws/jmespath-java@1.12.382?type=jar', 'url': 'https://github.com/aws/aws-sdk-java', 'version': '1.12.382', }), @@ -126,6 +141,7 @@ 'group': 'com.fasterxml.jackson.core', 'name': 'jackson-annotations', 'note': '', + 'purl': 'pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.1?type=jar', 'url': 'https://github.com/FasterXML/jackson-annotations', 'version': '2.14.1', }), @@ -134,6 +150,7 @@ 'group': 'com.fasterxml.jackson.core', 'name': 'jackson-core', 'note': '', + 'purl': 'pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.1?type=jar', 'url': 'https://github.com/FasterXML/jackson-core', 'version': '2.14.1', }), @@ -142,6 +159,7 @@ 'group': 'com.fasterxml.jackson.core', 'name': 'jackson-databind', 'note': '', + 'purl': 'pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.1?type=jar', 'url': 'https://github.com/FasterXML/jackson-databind', 'version': '2.14.1', }), @@ -150,6 +168,7 @@ 'group': 'com.fasterxml.jackson.dataformat', 'name': 'jackson-dataformat-cbor', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor@2.14.1?type=jar', 'url': '', 'version': '2.14.1', }), @@ -158,6 +177,7 @@ 'group': 'com.fasterxml.jackson.datatype', 'name': 'jackson-datatype-jdk8', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.14.1?type=jar', 'url': '', 'version': '2.14.1', }), @@ -166,6 +186,7 @@ 'group': 'com.fasterxml.jackson.datatype', 'name': 'jackson-datatype-jsr310', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.14.1?type=jar', 'url': '', 'version': '2.14.1', }), @@ -174,6 +195,7 @@ 'group': 'com.fizzed', 'name': 'rocker-runtime', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/com.fizzed/rocker-runtime@1.3.0?type=jar', 'url': '', 'version': '1.3.0', }), @@ -182,6 +204,7 @@ 'group': 'com.googlecode.javaewah', 'name': 'JavaEWAH', 'note': '', + 'purl': 'pkg:maven/com.googlecode.javaewah/JavaEWAH@1.1.7?type=jar', 'url': 'https://github.com/lemire/javaewah', 'version': '1.1.7', }), @@ -190,6 +213,7 @@ 'group': 'com.typesafe', 'name': 'config', 'note': '', + 'purl': 'pkg:maven/com.typesafe/config@1.4.1?type=jar', 'url': 'https://github.com/lightbend/config', 'version': '1.4.1', }), @@ -198,6 +222,7 @@ 'group': 'commons-codec', 'name': 'commons-codec', 'note': '', + 'purl': 'pkg:maven/commons-codec/commons-codec@1.15?type=jar', 'url': 'https://github.com/apache/commons-codec', 'version': '1.15', }), @@ -206,6 +231,7 @@ 'group': 'commons-fileupload', 'name': 'commons-fileupload', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/commons-fileupload/commons-fileupload@1.4?type=jar', 'url': '', 'version': '1.4', }), @@ -214,6 +240,7 @@ 'group': 'commons-io', 'name': 'commons-io', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/commons-io/commons-io@2.11.0?type=jar', 'url': '', 'version': '2.11.0', }), @@ -222,6 +249,7 @@ 'group': 'commons-logging', 'name': 'commons-logging', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/commons-logging/commons-logging@1.2?type=jar', 'url': '', 'version': '1.2', }), @@ -230,6 +258,7 @@ 'group': 'io.github.java-diff-utils', 'name': 'java-diff-utils', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.github.java-diff-utils/java-diff-utils@4.10?type=jar', 'url': '', 'version': '4.10', }), @@ -238,6 +267,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-alexa', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-alexa@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -246,6 +276,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-alexa-httpserver', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-alexa-httpserver@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -254,6 +285,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-bom', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-bom@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -262,6 +294,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-cdk', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-cdk@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -270,6 +303,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-cloudwatch-logging', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-cloudwatch-logging@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -278,6 +312,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-common', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-common@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -286,6 +321,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-distributed-configuration', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-distributed-configuration@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -294,6 +330,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-parameter-store', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-parameter-store@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -302,6 +339,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-sdk-v1', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-sdk-v1@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -310,6 +348,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-sdk-v2', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-sdk-v2@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -318,6 +357,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-secretsmanager', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-secretsmanager@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -326,6 +366,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-service-discovery', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-service-discovery@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -334,6 +375,7 @@ 'group': 'io.micronaut.aws', 'name': 'aws-ua', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/aws-ua@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -342,6 +384,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -350,6 +393,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws-alexa', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws-alexa@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -358,6 +402,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws-api-proxy-test', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws-api-proxy-test@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -366,6 +411,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws-custom-runtime', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws-custom-runtime@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -374,6 +420,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-aws-test', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-aws-test@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -382,6 +429,7 @@ 'group': 'io.micronaut.aws', 'name': 'function-client-aws', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/function-client-aws@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -390,6 +438,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -398,6 +447,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite-aws-sdk-v2', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite-aws-sdk-v2@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -406,6 +456,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite-groovy', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite-groovy@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -414,6 +465,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite-http-server-tck-function-aws-api-proxy', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite-http-server-tck-function-aws-api-proxy@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -422,6 +474,7 @@ 'group': 'io.micronaut.aws', 'name': 'test-suite-kotlin', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.micronaut.aws/test-suite-kotlin@4.0.0-SNAPSHOT?type=jar', 'url': '', 'version': '4.0.0-SNAPSHOT', }), @@ -430,6 +483,7 @@ 'group': 'io.micronaut.discovery', 'name': 'micronaut-discovery-client', 'note': '', + 'purl': 'pkg:maven/io.micronaut.discovery/micronaut-discovery-client@3.2.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-discovery-client', 'version': '3.2.0', }), @@ -438,6 +492,7 @@ 'group': 'io.micronaut.serde', 'name': 'micronaut-serde-api', 'note': '', + 'purl': 'pkg:maven/io.micronaut.serde/micronaut-serde-api@1.5.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-serialization', 'version': '1.5.0', }), @@ -446,6 +501,7 @@ 'group': 'io.micronaut.serde', 'name': 'micronaut-serde-jackson', 'note': 'https://github.com/micronaut-projects/micronaut-serialization is already analyzed.', + 'purl': 'pkg:maven/io.micronaut.serde/micronaut-serde-jackson@1.5.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-serialization', 'version': '1.5.0', }), @@ -454,6 +510,7 @@ 'group': 'io.micronaut.serde', 'name': 'micronaut-serde-support', 'note': 'https://github.com/micronaut-projects/micronaut-serialization is already analyzed.', + 'purl': 'pkg:maven/io.micronaut.serde/micronaut-serde-support@1.5.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-serialization', 'version': '1.5.0', }), @@ -462,6 +519,7 @@ 'group': 'io.micronaut.starter', 'name': 'micronaut-starter-api', 'note': '', + 'purl': 'pkg:maven/io.micronaut.starter/micronaut-starter-api@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-starter', 'version': '3.8.0', }), @@ -470,6 +528,7 @@ 'group': 'io.micronaut.starter', 'name': 'micronaut-starter-core', 'note': 'https://github.com/micronaut-projects/micronaut-starter is already analyzed.', + 'purl': 'pkg:maven/io.micronaut.starter/micronaut-starter-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-starter', 'version': '3.8.0', }), @@ -478,6 +537,7 @@ 'group': 'io.micronaut.test', 'name': 'micronaut-test-core', 'note': 'https://github.com/micronaut-projects/micronaut-test is already analyzed.', + 'purl': 'pkg:maven/io.micronaut.test/micronaut-test-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-test', 'version': '3.8.0', }), @@ -486,6 +546,7 @@ 'group': 'io.micronaut.test', 'name': 'micronaut-test-junit5', 'note': '', + 'purl': 'pkg:maven/io.micronaut.test/micronaut-test-junit5@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-test', 'version': '3.8.0', }), @@ -494,6 +555,7 @@ 'group': 'io.micronaut.testresources', 'name': 'micronaut-test-resources-build-tools', 'note': '', + 'purl': 'pkg:maven/io.micronaut.testresources/micronaut-test-resources-build-tools@1.2.3?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-test-resources', 'version': '1.2.3', }), @@ -502,6 +564,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-aop', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-aop@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -510,6 +573,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-buffer-netty', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-buffer-netty@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -518,6 +582,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-context', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-context@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -526,6 +591,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-core', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -534,6 +600,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-core-reactive', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-core-reactive@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -542,6 +609,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-function', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-function@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -550,6 +618,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-function-client', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-function-client@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -558,6 +627,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -566,6 +636,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http-client', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http-client@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -574,6 +645,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http-client-core', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http-client-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -582,6 +654,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http-netty', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http-netty@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -590,6 +663,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-http-server', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-http-server@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -598,6 +672,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-inject', 'note': '', + 'purl': 'pkg:maven/io.micronaut/micronaut-inject@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -606,6 +681,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-jackson-core', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-jackson-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -614,6 +690,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-jackson-databind', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-jackson-databind@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -622,6 +699,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-json-core', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-json-core@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -630,6 +708,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-router', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-router@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -638,6 +717,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-runtime', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-runtime@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -646,6 +726,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-validation', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-validation@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -654,6 +735,7 @@ 'group': 'io.micronaut', 'name': 'micronaut-websocket', 'note': 'https://github.com/micronaut-projects/micronaut-core is already analyzed.', + 'purl': 'pkg:maven/io.micronaut/micronaut-websocket@3.8.0?type=jar', 'url': 'https://github.com/micronaut-projects/micronaut-core', 'version': '3.8.0', }), @@ -662,6 +744,7 @@ 'group': 'io.netty', 'name': 'netty-buffer', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-buffer@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -670,6 +753,7 @@ 'group': 'io.netty', 'name': 'netty-codec', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-codec@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -678,6 +762,7 @@ 'group': 'io.netty', 'name': 'netty-codec-http', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-codec-http@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -686,6 +771,7 @@ 'group': 'io.netty', 'name': 'netty-codec-http2', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-codec-http2@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -694,6 +780,7 @@ 'group': 'io.netty', 'name': 'netty-codec-socks', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-codec-socks@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -702,6 +789,7 @@ 'group': 'io.netty', 'name': 'netty-common', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-common@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -710,6 +798,7 @@ 'group': 'io.netty', 'name': 'netty-handler', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-handler@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -718,6 +807,7 @@ 'group': 'io.netty', 'name': 'netty-handler-proxy', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-handler-proxy@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -726,6 +816,7 @@ 'group': 'io.netty', 'name': 'netty-resolver', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-resolver@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -734,6 +825,7 @@ 'group': 'io.netty', 'name': 'netty-transport', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-transport@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -742,6 +834,7 @@ 'group': 'io.netty', 'name': 'netty-transport-classes-epoll', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-transport-classes-epoll@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -750,6 +843,7 @@ 'group': 'io.netty', 'name': 'netty-transport-native-unix-common', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.netty/netty-transport-native-unix-common@4.1.86.Final?type=jar', 'url': '', 'version': '4.1.86.Final', }), @@ -758,6 +852,7 @@ 'group': 'io.projectreactor', 'name': 'reactor-core', 'note': '', + 'purl': 'pkg:maven/io.projectreactor/reactor-core@3.5.0?type=jar', 'url': 'https://github.com/reactor/reactor-core', 'version': '3.5.0', }), @@ -766,6 +861,7 @@ 'group': 'io.swagger.core.v3', 'name': 'swagger-annotations', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/io.swagger.core.v3/swagger-annotations@2.2.7?type=jar', 'url': '', 'version': '2.2.7', }), @@ -774,6 +870,7 @@ 'group': 'jakarta.annotation', 'name': 'jakarta.annotation-api', 'note': '', + 'purl': 'pkg:maven/jakarta.annotation/jakarta.annotation-api@2.1.1?type=jar', 'url': 'https://github.com/eclipse-ee4j/common-annotations-api', 'version': '2.1.1', }), @@ -782,6 +879,7 @@ 'group': 'jakarta.inject', 'name': 'jakarta.inject-api', 'note': '', + 'purl': 'pkg:maven/jakarta.inject/jakarta.inject-api@2.0.1?type=jar', 'url': 'https://github.com/eclipse-ee4j/injection-api', 'version': '2.0.1', }), @@ -790,6 +888,7 @@ 'group': 'javax.annotation', 'name': 'javax.annotation-api', 'note': '', + 'purl': 'pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar', 'url': 'https://github.com/javaee/javax.annotation', 'version': '1.3.2', }), @@ -798,6 +897,7 @@ 'group': 'javax.inject', 'name': 'javax.inject', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/javax.inject/javax.inject@1?type=jar', 'url': '', 'version': '1', }), @@ -806,6 +906,7 @@ 'group': 'javax.servlet', 'name': 'javax.servlet-api', 'note': '', + 'purl': 'pkg:maven/javax.servlet/javax.servlet-api@4.0.1?type=jar', 'url': 'https://github.com/javaee/servlet-spec', 'version': '4.0.1', }), @@ -814,6 +915,7 @@ 'group': 'javax.validation', 'name': 'validation-api', 'note': '', + 'purl': 'pkg:maven/javax.validation/validation-api@2.0.1.Final?type=jar', 'url': 'https://github.com/beanvalidation/beanvalidation-api', 'version': '2.0.1.Final', }), @@ -822,6 +924,7 @@ 'group': 'joda-time', 'name': 'joda-time', 'note': '', + 'purl': 'pkg:maven/joda-time/joda-time@2.8.1?type=jar', 'url': 'https://github.com/JodaOrg/joda-time', 'version': '2.8.1', }), @@ -830,6 +933,7 @@ 'group': 'org.apache.commons', 'name': 'commons-compress', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.commons/commons-compress@1.21?type=jar', 'url': '', 'version': '1.21', }), @@ -838,6 +942,7 @@ 'group': 'org.apache.httpcomponents', 'name': 'httpclient', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.httpcomponents/httpclient@4.5.13?type=jar', 'url': '', 'version': '4.5.13', }), @@ -846,6 +951,7 @@ 'group': 'org.apache.httpcomponents', 'name': 'httpcore', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.httpcomponents/httpcore@4.4.13?type=jar', 'url': '', 'version': '4.4.13', }), @@ -854,6 +960,7 @@ 'group': 'org.apache.httpcomponents', 'name': 'httpmime', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.httpcomponents/httpmime@4.5.13?type=jar', 'url': '', 'version': '4.5.13', }), @@ -862,6 +969,7 @@ 'group': 'org.apache.logging.log4j', 'name': 'log4j-api', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.logging.log4j/log4j-api@2.19.0?type=jar', 'url': '', 'version': '2.19.0', }), @@ -870,6 +978,7 @@ 'group': 'org.apache.logging.log4j', 'name': 'log4j-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.logging.log4j/log4j-core@2.19.0?type=jar', 'url': '', 'version': '2.19.0', }), @@ -878,6 +987,7 @@ 'group': 'org.apache.logging.log4j', 'name': 'log4j-slf4j-impl', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.apache.logging.log4j/log4j-slf4j-impl@2.19.0?type=jar', 'url': '', 'version': '2.19.0', }), @@ -886,6 +996,7 @@ 'group': 'org.eclipse.jetty', 'name': 'jetty-http', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jetty/jetty-http@9.4.50.v20221201?type=jar', 'url': '', 'version': '9.4.50.v20221201', }), @@ -894,6 +1005,7 @@ 'group': 'org.eclipse.jetty', 'name': 'jetty-io', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jetty/jetty-io@9.4.50.v20221201?type=jar', 'url': '', 'version': '9.4.50.v20221201', }), @@ -902,6 +1014,7 @@ 'group': 'org.eclipse.jetty', 'name': 'jetty-server', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jetty/jetty-server@9.4.50.v20221201?type=jar', 'url': '', 'version': '9.4.50.v20221201', }), @@ -910,6 +1023,7 @@ 'group': 'org.eclipse.jetty', 'name': 'jetty-util', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jetty/jetty-util@9.4.50.v20221201?type=jar', 'url': '', 'version': '9.4.50.v20221201', }), @@ -918,6 +1032,7 @@ 'group': 'org.eclipse.jgit', 'name': 'org.eclipse.jgit', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.eclipse.jgit/org.eclipse.jgit@5.11.1.202105131744-r?type=jar', 'url': '', 'version': '5.11.1.202105131744-r', }), @@ -926,6 +1041,7 @@ 'group': 'org.jetbrains.kotlin', 'name': 'kotlin-stdlib', 'note': 'https://github.com/JetBrains/kotlin is already analyzed.', + 'purl': 'pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.7.21?type=jar', 'url': 'https://github.com/JetBrains/kotlin', 'version': '1.7.21', }), @@ -934,6 +1050,7 @@ 'group': 'org.jetbrains.kotlin', 'name': 'kotlin-stdlib-common', 'note': 'https://github.com/JetBrains/kotlin is already analyzed.', + 'purl': 'pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.7.21?type=jar', 'url': 'https://github.com/JetBrains/kotlin', 'version': '1.7.21', }), @@ -942,6 +1059,7 @@ 'group': 'org.jetbrains.kotlin', 'name': 'kotlin-stdlib-jdk7', 'note': '', + 'purl': 'pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.7.21?type=jar', 'url': 'https://github.com/JetBrains/kotlin', 'version': '1.7.21', }), @@ -950,6 +1068,7 @@ 'group': 'org.jetbrains.kotlin', 'name': 'kotlin-stdlib-jdk8', 'note': 'https://github.com/JetBrains/kotlin is already analyzed.', + 'purl': 'pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.7.21?type=jar', 'url': 'https://github.com/JetBrains/kotlin', 'version': '1.7.21', }), @@ -958,6 +1077,7 @@ 'group': 'org.jetbrains', 'name': 'annotations', 'note': '', + 'purl': 'pkg:maven/org.jetbrains/annotations@19.0.0?type=jar', 'url': 'https://github.com/JetBrains/java-annotations', 'version': '19.0.0', }), @@ -966,6 +1086,7 @@ 'group': 'org.junit.jupiter', 'name': 'junit-jupiter-api', 'note': '', + 'purl': 'pkg:maven/org.junit.jupiter/junit-jupiter-api@5.9.1?type=jar', 'url': 'https://github.com/junit-team/junit5', 'version': '5.9.1', }), @@ -974,6 +1095,7 @@ 'group': 'org.junit.platform', 'name': 'junit-platform-commons', 'note': 'https://github.com/junit-team/junit5 is already analyzed.', + 'purl': 'pkg:maven/org.junit.platform/junit-platform-commons@1.9.1?type=jar', 'url': 'https://github.com/junit-team/junit5', 'version': '1.9.1', }), @@ -982,6 +1104,7 @@ 'group': 'org.opentest4j', 'name': 'opentest4j', 'note': '', + 'purl': 'pkg:maven/org.opentest4j/opentest4j@1.2.0?type=jar', 'url': 'https://github.com/ota4j-team/opentest4j', 'version': '1.2.0', }), @@ -990,6 +1113,7 @@ 'group': 'org.reactivestreams', 'name': 'reactive-streams', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.reactivestreams/reactive-streams@1.0.4?type=jar', 'url': '', 'version': '1.0.4', }), @@ -998,6 +1122,7 @@ 'group': 'org.slf4j', 'name': 'jcl-over-slf4j', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.slf4j/jcl-over-slf4j@1.7.36?type=jar', 'url': '', 'version': '1.7.36', }), @@ -1006,6 +1131,7 @@ 'group': 'org.slf4j', 'name': 'slf4j-api', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.slf4j/slf4j-api@1.7.36?type=jar', 'url': '', 'version': '1.7.36', }), @@ -1014,6 +1140,7 @@ 'group': 'org.yaml', 'name': 'snakeyaml', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/org.yaml/snakeyaml@1.33?type=jar', 'url': '', 'version': '1.33', }), @@ -1022,6 +1149,7 @@ 'group': 'software.amazon.awscdk', 'name': 'aws-cdk-lib', 'note': '', + 'purl': 'pkg:maven/software.amazon.awscdk/aws-cdk-lib@2.59.0?type=jar', 'url': 'https://github.com/aws/aws-cdk', 'version': '2.59.0', }), @@ -1030,6 +1158,7 @@ 'group': 'software.amazon.awscdk', 'name': 'cdk-asset-awscli-v1', 'note': '', + 'purl': 'pkg:maven/software.amazon.awscdk/cdk-asset-awscli-v1@2.2.52?type=jar', 'url': 'https://github.com/cdklabs/awscdk-asset-awscli', 'version': '2.2.52', }), @@ -1038,6 +1167,7 @@ 'group': 'software.amazon.awscdk', 'name': 'cdk-asset-kubectl-v20', 'note': '', + 'purl': 'pkg:maven/software.amazon.awscdk/cdk-asset-kubectl-v20@2.1.1?type=jar', 'url': 'https://github.com/cdklabs/awscdk-asset-kubectl', 'version': '2.1.1', }), @@ -1046,6 +1176,7 @@ 'group': 'software.amazon.awscdk', 'name': 'cdk-asset-node-proxy-agent-v5', 'note': '', + 'purl': 'pkg:maven/software.amazon.awscdk/cdk-asset-node-proxy-agent-v5@2.0.42?type=jar', 'url': 'https://github.com/cdklabs/awscdk-asset-node-proxy-agent', 'version': '2.0.42', }), @@ -1054,6 +1185,7 @@ 'group': 'software.amazon.awssdk', 'name': 'annotations', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/annotations@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1062,6 +1194,7 @@ 'group': 'software.amazon.awssdk', 'name': 'apache-client', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/apache-client@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1070,6 +1203,7 @@ 'group': 'software.amazon.awssdk', 'name': 'auth', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/auth@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1078,6 +1212,7 @@ 'group': 'software.amazon.awssdk', 'name': 'aws-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/aws-core@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1086,6 +1221,7 @@ 'group': 'software.amazon.awssdk', 'name': 'aws-json-protocol', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/aws-json-protocol@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1094,6 +1230,7 @@ 'group': 'software.amazon.awssdk', 'name': 'cloudwatchlogs', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/cloudwatchlogs@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1102,6 +1239,7 @@ 'group': 'software.amazon.awssdk', 'name': 'endpoints-spi', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/endpoints-spi@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1110,6 +1248,7 @@ 'group': 'software.amazon.awssdk', 'name': 'http-client-spi', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/http-client-spi@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1118,6 +1257,7 @@ 'group': 'software.amazon.awssdk', 'name': 'json-utils', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/json-utils@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1126,6 +1266,7 @@ 'group': 'software.amazon.awssdk', 'name': 'metrics-spi', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/metrics-spi@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1134,6 +1275,7 @@ 'group': 'software.amazon.awssdk', 'name': 'netty-nio-client', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/netty-nio-client@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1142,6 +1284,7 @@ 'group': 'software.amazon.awssdk', 'name': 'profiles', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/profiles@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1150,6 +1293,7 @@ 'group': 'software.amazon.awssdk', 'name': 'protocol-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/protocol-core@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1158,6 +1302,7 @@ 'group': 'software.amazon.awssdk', 'name': 'regions', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/regions@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1166,6 +1311,7 @@ 'group': 'software.amazon.awssdk', 'name': 'sdk-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/sdk-core@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1174,6 +1320,7 @@ 'group': 'software.amazon.awssdk', 'name': 'secretsmanager', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/secretsmanager@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1182,6 +1329,7 @@ 'group': 'software.amazon.awssdk', 'name': 'servicediscovery', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/servicediscovery@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1190,6 +1338,7 @@ 'group': 'software.amazon.awssdk', 'name': 'ssm', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/ssm@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1198,6 +1347,7 @@ 'group': 'software.amazon.awssdk', 'name': 'third-party-jackson-core', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/third-party-jackson-core@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1206,6 +1356,7 @@ 'group': 'software.amazon.awssdk', 'name': 'utils', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.awssdk/utils@2.19.14?type=jar', 'url': '', 'version': '2.19.14', }), @@ -1214,6 +1365,7 @@ 'group': 'software.amazon.eventstream', 'name': 'eventstream', 'note': '', + 'purl': 'pkg:maven/software.amazon.eventstream/eventstream@1.0.1?type=jar', 'url': 'https://github.com/awslabs/aws-eventstream-java', 'version': '1.0.1', }), @@ -1222,6 +1374,7 @@ 'group': 'software.amazon.ion', 'name': 'ion-java', 'note': 'Manual configuration required. Could not find SCM URL.', + 'purl': 'pkg:maven/software.amazon.ion/ion-java@1.0.2?type=jar', 'url': '', 'version': '1.0.2', }), @@ -1230,6 +1383,7 @@ 'group': 'software.amazon.jsii', 'name': 'jsii-runtime', 'note': '', + 'purl': 'pkg:maven/software.amazon.jsii/jsii-runtime@1.73.0?type=jar', 'url': 'https://github.com/aws/jsii', 'version': '1.73.0', }), @@ -1238,6 +1392,7 @@ 'group': 'software.constructs', 'name': 'constructs', 'note': '', + 'purl': 'pkg:maven/software.constructs/constructs@10.1.232?type=jar', 'url': 'https://github.com/aws/constructs', 'version': '10.1.232', }), @@ -12225,6 +12380,7 @@ 'group': '', 'name': 'joda-time', 'note': '', + 'purl': 'pkg:maven/joda-time/joda-time@2.6?type=jar', 'url': 'https://github.com/JodaOrg/joda-time', 'version': '2.6', }), @@ -12237,6 +12393,7 @@ 'group': 'joda-time', 'name': 'joda-time', 'note': '', + 'purl': 'pkg:maven/joda-time/joda-time@2.6?type=jar', 'url': 'https://github.com/JodaOrg/joda-time', 'version': '', }), @@ -12249,6 +12406,7 @@ 'group': 'joda-time', 'name': 'joda-time', 'note': '', + 'purl': 'pkg:maven/joda-time/joda-time@2.6?type=jar', 'url': 'https://github.com/JodaOrg/joda-time', 'version': '2.7', }), diff --git a/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json b/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json index 493861603..15a974507 100644 --- a/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json +++ b/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json @@ -1,7 +1,7 @@ [ { "id": "org.junit.jupiter:junit-jupiter-engine", - "purl": "", + "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-engine@5.8.1?type=jar", "path": "https://github.com/junit-team/junit5", "branch": "", "digest": "", @@ -10,7 +10,7 @@ }, { "id": "org.hamcrest:hamcrest-core", - "purl": "", + "purl": "pkg:maven/org.hamcrest/hamcrest-core@2.2?type=jar", "path": "https://github.com/hamcrest/JavaHamcrest", "branch": "", "digest": "", @@ -19,7 +19,7 @@ }, { "id": "org.apache.maven:maven-model", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-model@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -28,7 +28,7 @@ }, { "id": "org.apache.maven:maven-artifact", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-artifact@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -37,7 +37,7 @@ }, { "id": "org.apache.maven:maven-plugin-api", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-plugin-api@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -46,7 +46,7 @@ }, { "id": "org.apache.maven:maven-builder-support", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-builder-support@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -55,7 +55,7 @@ }, { "id": "org.apache.maven:maven-model-transform", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-model-transform@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -64,7 +64,7 @@ }, { "id": "org.apache.maven:maven-model-builder", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-model-builder@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -73,7 +73,7 @@ }, { "id": "org.apache.maven:maven-settings", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-settings@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -82,7 +82,7 @@ }, { "id": "org.apache.maven:maven-settings-builder", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-settings-builder@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -91,7 +91,7 @@ }, { "id": "org.apache.maven:maven-toolchain-model", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-toolchain-model@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -100,7 +100,7 @@ }, { "id": "org.apache.maven:maven-toolchain-builder", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-toolchain-builder@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -109,7 +109,7 @@ }, { "id": "org.apache.maven:maven-repository-metadata", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-repository-metadata@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -118,7 +118,7 @@ }, { "id": "org.apache.maven:maven-resolver-provider", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-resolver-provider@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -127,7 +127,7 @@ }, { "id": "org.apache.maven:maven-core", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-core@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -136,7 +136,7 @@ }, { "id": "org.apache.maven:maven-slf4j-wrapper", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-slf4j-wrapper@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -145,7 +145,7 @@ }, { "id": "org.apache.maven:maven-slf4j-provider", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-slf4j-provider@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -154,7 +154,7 @@ }, { "id": "org.apache.maven:maven-embedder", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-embedder@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -163,7 +163,7 @@ }, { "id": "org.apache.maven:maven-compat", - "purl": "", + "purl": "pkg:maven/org.apache.maven/maven-compat@4.0.0-alpha-1-SNAPSHOT?type=jar", "path": "", "branch": "", "digest": "", @@ -172,7 +172,7 @@ }, { "id": "org.apache.maven:apache-maven", - "purl": "", + "purl": "pkg:maven/org.apache.maven/apache-maven@4.0.0-alpha-1-SNAPSHOT?type=pom", "path": "", "branch": "", "digest": "", diff --git a/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json b/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json index 5023681ee..6e228010d 100644 --- a/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json +++ b/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json @@ -1,7 +1,7 @@ [ { "id": "org.junit.jupiter:junit-jupiter-engine", - "purl": "", + "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-engine@5.8.1?type=jar", "path": "https://github.com/junit-team/junit5", "branch": "", "digest": "", @@ -10,7 +10,7 @@ }, { "id": "org.hamcrest:hamcrest-core", - "purl": "", + "purl": "pkg:maven/org.hamcrest/hamcrest-core@2.2?type=jar", "path": "https://github.com/hamcrest/JavaHamcrest", "branch": "", "digest": "", @@ -19,7 +19,7 @@ }, { "id": "org.eclipse.sisu:org.eclipse.sisu.plexus", - "purl": "", + "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.5?type=jar", "path": "", "branch": "", "digest": "", @@ -28,7 +28,7 @@ }, { "id": "org.codehaus.plexus:plexus-utils", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-utils@3.3.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-utils", "branch": "", "digest": "", @@ -37,7 +37,7 @@ }, { "id": "org.codehaus.plexus:plexus-classworlds", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-classworlds@2.6.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-classworlds", "branch": "", "digest": "", @@ -46,7 +46,7 @@ }, { "id": "org.slf4j:slf4j-api", - "purl": "", + "purl": "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", "path": "https://github.com/qos-ch/slf4j", "branch": "", "digest": "", @@ -55,7 +55,7 @@ }, { "id": "org.apache.maven.shared:maven-shared-utils", - "purl": "", + "purl": "pkg:maven/org.apache.maven.shared/maven-shared-utils@3.3.4?type=jar", "path": "https://github.com/apache/maven-shared-utils", "branch": "", "digest": "", @@ -64,7 +64,7 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-api", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-api@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", @@ -73,16 +73,16 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-util", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-util@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "com.google.inject:guice", - "purl": "", + "purl": "pkg:maven/com.google.inject/guice@4.2.3?classifier=no_aop&type=jar", "path": "https://github.com/google/guice", "branch": "", "digest": "", @@ -91,7 +91,7 @@ }, { "id": "com.google.guava:guava", - "purl": "", + "purl": "pkg:maven/com.google.guava/guava@30.1-jre?type=jar", "path": "https://github.com/google/guava", "branch": "", "digest": "", @@ -100,7 +100,7 @@ }, { "id": "com.google.guava:failureaccess", - "purl": "", + "purl": "pkg:maven/com.google.guava/failureaccess@1.0.1?type=jar", "path": "https://github.com/google/guava", "branch": "", "digest": "", @@ -109,7 +109,7 @@ }, { "id": "javax.inject:javax.inject", - "purl": "", + "purl": "pkg:maven/javax.inject/javax.inject@1?type=jar", "path": "", "branch": "", "digest": "", @@ -118,7 +118,7 @@ }, { "id": "javax.annotation:javax.annotation-api", - "purl": "", + "purl": "pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar", "path": "https://github.com/javaee/javax.annotation", "branch": "", "digest": "", @@ -127,7 +127,7 @@ }, { "id": "org.codehaus.plexus:plexus-sec-dispatcher", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-sec-dispatcher@2.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-sec-dispatcher", "branch": "", "digest": "", @@ -136,7 +136,7 @@ }, { "id": "org.codehaus.plexus:plexus-cipher", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-cipher@2.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-cipher", "branch": "", "digest": "", @@ -145,7 +145,7 @@ }, { "id": "org.slf4j:slf4j-simple", - "purl": "", + "purl": "pkg:maven/org.slf4j/slf4j-simple@1.7.32?type=jar", "path": "https://github.com/qos-ch/slf4j", "branch": "", "digest": "", @@ -154,7 +154,7 @@ }, { "id": "ch.qos.logback:logback-classic", - "purl": "", + "purl": "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", "path": "https://github.com/ceki/logback", "branch": "", "digest": "", @@ -163,7 +163,7 @@ }, { "id": "commons-cli:commons-cli", - "purl": "", + "purl": "pkg:maven/commons-cli/commons-cli@1.5.0?type=jar", "path": "https://github.com/apache/maven-apache-parent", "branch": "", "digest": "", @@ -172,16 +172,16 @@ }, { "id": "org.apache.commons:commons-lang3", - "purl": "", + "purl": "pkg:maven/org.apache.commons/commons-lang3@3.12.0?type=jar", "path": "https://github.com/apache/maven-apache-parent", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-apache-parent is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.mockito:mockito-core", - "purl": "", + "purl": "pkg:maven/org.mockito/mockito-core@3.2.0?type=jar", "path": "https://github.com/mockito/mockito", "branch": "", "digest": "", @@ -190,7 +190,7 @@ }, { "id": "org.fusesource.jansi:jansi", - "purl": "", + "purl": "pkg:maven/org.fusesource.jansi/jansi@2.4.0?type=jar", "path": "https://github.com/fusesource/jansi", "branch": "", "digest": "", @@ -199,7 +199,7 @@ }, { "id": "org.apache.maven.wagon:wagon-http", - "purl": "", + "purl": "pkg:maven/org.apache.maven.wagon/wagon-http@3.5.1?type=jar", "path": "https://github.com/apache/maven-wagon", "branch": "", "digest": "", @@ -208,16 +208,16 @@ }, { "id": "org.apache.maven.wagon:wagon-file", - "purl": "", + "purl": "pkg:maven/org.apache.maven.wagon/wagon-file@3.5.1?type=jar", "path": "https://github.com/apache/maven-wagon", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-wagon is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.slf4j:jcl-over-slf4j", - "purl": "", + "purl": "pkg:maven/org.slf4j/jcl-over-slf4j@1.7.32?type=jar", "path": "https://github.com/qos-ch/slf4j", "branch": "", "digest": "", @@ -226,43 +226,43 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-connector-basic", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-connector-basic@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.apache.maven.resolver:maven-resolver-transport-file", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-file@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.apache.maven.resolver:maven-resolver-transport-http", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-http@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.apache.maven.resolver:maven-resolver-transport-wagon", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-wagon@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.codehaus.plexus:plexus-interpolation", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-interpolation@1.26?type=jar", "path": "https://github.com/codehaus-plexus/plexus-interpolation", "branch": "", "digest": "", @@ -271,16 +271,16 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-impl", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-impl@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.codehaus.plexus:plexus-component-annotations", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-component-annotations@2.1.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-containers", "branch": "", "digest": "", @@ -289,16 +289,16 @@ }, { "id": "org.apache.maven.wagon:wagon-provider-api", - "purl": "", + "purl": "pkg:maven/org.apache.maven.wagon/wagon-provider-api@3.5.1?type=jar", "path": "https://github.com/apache/maven-wagon", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-wagon is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "org.codehaus.plexus:plexus-testing", - "purl": "", + "purl": "pkg:maven/org.codehaus.plexus/plexus-testing@1.0.0?type=jar", "path": "https://github.com/codehaus-plexus/plexus-testing", "branch": "", "digest": "", @@ -307,7 +307,7 @@ }, { "id": "org.junit.jupiter:junit-jupiter-params", - "purl": "", + "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-params@5.8.1?type=jar", "path": "https://github.com/junit-team/junit5", "branch": "", "digest": "", @@ -316,7 +316,7 @@ }, { "id": "org.xmlunit:xmlunit-assertj", - "purl": "", + "purl": "pkg:maven/org.xmlunit/xmlunit-assertj@2.6.4?type=jar", "path": "https://github.com/xmlunit/xmlunit", "branch": "", "digest": "", @@ -325,7 +325,7 @@ }, { "id": "org.hamcrest:hamcrest-library", - "purl": "", + "purl": "pkg:maven/org.hamcrest/hamcrest-library@2.2?type=jar", "path": "https://github.com/hamcrest/JavaHamcrest", "branch": "", "digest": "", @@ -334,7 +334,7 @@ }, { "id": "org.eclipse.sisu:org.eclipse.sisu.inject", - "purl": "", + "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.inject@0.3.5?type=jar", "path": "", "branch": "", "digest": "", @@ -343,7 +343,7 @@ }, { "id": "org.xmlunit:xmlunit-core", - "purl": "", + "purl": "pkg:maven/org.xmlunit/xmlunit-core@2.6.4?type=jar", "path": "https://github.com/xmlunit/xmlunit", "branch": "", "digest": "", @@ -352,7 +352,7 @@ }, { "id": "org.xmlunit:xmlunit-matchers", - "purl": "", + "purl": "pkg:maven/org.xmlunit/xmlunit-matchers@2.6.4?type=jar", "path": "https://github.com/xmlunit/xmlunit", "branch": "", "digest": "", @@ -361,16 +361,16 @@ }, { "id": "org.apache.maven.resolver:maven-resolver-spi", - "purl": "", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-spi@1.8.0?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/apache/maven-resolver is already analyzed.", + "available": "DUPLICATED REPO URL" }, { "id": "commons-jxpath:commons-jxpath", - "purl": "", + "purl": "pkg:maven/commons-jxpath/commons-jxpath@1.3?type=jar", "path": "", "branch": "", "digest": "", diff --git a/tests/dependency_analyzer/expected_results/cyclonedx_timyarkov_multibuild_test.json b/tests/dependency_analyzer/expected_results/cyclonedx_timyarkov_multibuild_test.json index 1b4a1fb15..bafacf2b5 100644 --- a/tests/dependency_analyzer/expected_results/cyclonedx_timyarkov_multibuild_test.json +++ b/tests/dependency_analyzer/expected_results/cyclonedx_timyarkov_multibuild_test.json @@ -1,7 +1,7 @@ [ { "id": "org.springframework.boot:spring-boot-starter-thymeleaf", - "purl": "", + "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@3.0.0?type=jar", "path": "https://github.com/spring-projects/spring-boot", "branch": "", "digest": "", @@ -10,7 +10,7 @@ }, { "id": "org.springframework.boot:spring-boot-starter-web", - "purl": "", + "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-web@3.0.0?type=jar", "path": "https://github.com/spring-projects/spring-boot", "branch": "", "digest": "", @@ -19,7 +19,7 @@ }, { "id": "com.google.code.gson:gson", - "purl": "", + "purl": "pkg:maven/com.google.code.gson/gson@2.10.1?type=jar", "path": "https://github.com/google/gson", "branch": "", "digest": "", diff --git a/tests/dependency_analyzer/test_dependency_analyzer.py b/tests/dependency_analyzer/test_dependency_analyzer.py index 3dd7d992f..ed9b9c7cb 100644 --- a/tests/dependency_analyzer/test_dependency_analyzer.py +++ b/tests/dependency_analyzer/test_dependency_analyzer.py @@ -27,6 +27,7 @@ def test_merge_config(self) -> None: version="2.14.0-SNAPSHOT", group="com.fasterxml.jackson.core", name="jackson-annotations", + purl="pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0-SNAPSHOT?type=bundle", url="https://github.com/FasterXML/jackson-annotations", note="", available=SCMStatus.AVAILABLE, @@ -35,6 +36,7 @@ def test_merge_config(self) -> None: version="2.14.0-SNAPSHOT", group="com.fasterxml.jackson.core", name="jackson-core", + purl="pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0-SNAPSHOT?type=bundle", url="https://github.com/FasterXML/jackson-core", note="", available=SCMStatus.AVAILABLE, @@ -45,7 +47,7 @@ def test_merge_config(self) -> None: expected_result_no_deps = [ { "id": "com.fasterxml.jackson.core:jackson-annotations", - "purl": "", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0-SNAPSHOT?type=bundle", "path": "https://github.com/FasterXML/jackson-annotations", "branch": "", "digest": "", @@ -54,7 +56,7 @@ def test_merge_config(self) -> None: }, { "id": "com.fasterxml.jackson.core:jackson-core", - "purl": "", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0-SNAPSHOT?type=bundle", "path": "https://github.com/FasterXML/jackson-core", "branch": "", "digest": "", @@ -84,7 +86,7 @@ def test_merge_config(self) -> None: }, { "id": "com.fasterxml.jackson.core:jackson-annotations", - "purl": "", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0-SNAPSHOT?type=bundle", "path": "https://github.com/FasterXML/jackson-annotations", "branch": "", "digest": "", @@ -93,7 +95,7 @@ def test_merge_config(self) -> None: }, { "id": "com.fasterxml.jackson.core:jackson-core", - "purl": "", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0-SNAPSHOT?type=bundle", "path": "https://github.com/FasterXML/jackson-core", "branch": "", "digest": "", diff --git a/tests/e2e/expected_results/docker_test/docker_test.json b/tests/e2e/expected_results/docker_test/docker_test.json index 2ded272c1..6940d8964 100644 --- a/tests/e2e/expected_results/docker_test/docker_test.json +++ b/tests/e2e/expected_results/docker_test/docker_test.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-08-28 12:52:37" + "timestamps": "2023-09-12 17:09:42" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "Pretend-to-do-stuff", + "stepID": "Push Docker" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -61,7 +64,7 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -118,6 +121,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -193,31 +207,35 @@ "unique_dep_repos": 0, "checks_summary": [ { - "check_id": "mcn_build_script_1", + "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, { - "check_id": "mcn_version_control_system_1", + "check_id": "mcn_provenance_witness_level_one_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_service_1", + "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_witness_level_one_1", + "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", + "check_id": "mcn_version_control_system_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_as_code_1", + "check_id": "mcn_trusted_builder_level_three_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_script_1", "num_deps_pass": 0 }, { @@ -225,7 +243,7 @@ "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_expectation_1", + "check_id": "mcn_build_service_1", "num_deps_pass": 0 } ], diff --git a/tests/e2e/expected_results/jackson-databind/jackson-databind.json b/tests/e2e/expected_results/jackson-databind/jackson-databind.json index 3bfb62b98..4d2999187 100644 --- a/tests/e2e/expected_results/jackson-databind/jackson-databind.json +++ b/tests/e2e/expected_results/jackson-databind/jackson-databind.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:35:08" + "timestamps": "2023-09-12 17:24:16" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "build", + "stepID": "Deploy snapshot" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -160,6 +167,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -238,10 +256,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -265,10 +291,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/maven/guava.json b/tests/e2e/expected_results/maven/guava.json index d68be2be2..a608b9803 100644 --- a/tests/e2e/expected_results/maven/guava.json +++ b/tests/e2e/expected_results/maven/guava.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:36:15" + "timestamps": "2023-09-12 17:28:04" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "publish_snapshot", + "stepID": "Publish" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -118,6 +122,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -196,10 +211,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -223,10 +246,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/maven/maven.json b/tests/e2e/expected_results/maven/maven.json index 158f1c047..d33a87a2f 100644 --- a/tests/e2e/expected_results/maven/maven.json +++ b/tests/e2e/expected_results/maven/maven.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-06-14 13:33:34" + "timestamps": "2023-09-12 17:28:08" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -155,6 +162,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -176,7 +194,7 @@ "Provenance conforms with expectations - SLSA Level 3" ], "justification": [ - "Check mcn_provenance_expectation_1 is set to FAILED because mcn_provenance_level_three_1 FAILED." + "Check mcn_provenance_expectation_1 is set to FAILED because mcn_provenance_available_1 FAILED." ], "result_type": "FAILED" }, @@ -226,24 +244,32 @@ } }, "dependencies": { - "analyzed_deps": 2, - "unique_dep_repos": 2, + "analyzed_deps": 0, + "unique_dep_repos": 0, "checks_summary": [ { "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", - "num_deps_pass": 2 + "num_deps_pass": 0 }, { "check_id": "mcn_version_control_system_1", - "num_deps_pass": 2 + "num_deps_pass": 0 }, { "check_id": "mcn_trusted_builder_level_three_1", @@ -251,7 +277,7 @@ }, { "check_id": "mcn_build_script_1", - "num_deps_pass": 2 + "num_deps_pass": 0 }, { "check_id": "mcn_provenance_level_three_1", @@ -260,25 +286,8 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], - "dep_status": [ - { - "id": "guava", - "description": "Analysis Completed.", - "report": "guava.html", - "status": "AVAILABLE" - }, - { - "id": "mockito", - "description": "Analysis Completed.", - "report": "mockito.html", - "status": "AVAILABLE" - } - ] + "dep_status": [] } } diff --git a/tests/e2e/expected_results/maven/mockito.json b/tests/e2e/expected_results/maven/mockito.json index e7da37718..ee4791623 100644 --- a/tests/e2e/expected_results/maven/mockito.json +++ b/tests/e2e/expected_results/maven/mockito.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:36:15" + "timestamps": "2023-09-12 17:28:04" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "release", + "stepID": "Build and release" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -118,6 +122,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -196,10 +211,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -223,10 +246,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/micronaut-core/caffeine.json b/tests/e2e/expected_results/micronaut-core/caffeine.json index 869788261..88ac3fe9a 100644 --- a/tests/e2e/expected_results/micronaut-core/caffeine.json +++ b/tests/e2e/expected_results/micronaut-core/caffeine.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:33:32" + "timestamps": "2023-09-12 22:55:15" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "build", + "stepID": "Publish Snapshot" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -121,7 +128,8 @@ "The build is triggered by": "https://github.com/ben-manes/caffeine/blob/05a040c2478341bab8a58a02b3dc1fe14d626d72/.github/workflows/build.yml" }, "Deploy command: ['./gradlew', 'publishToSonatype']", - "However, could not find a passing workflow run." + "However, could not find a passing workflow run.", + "The target repository does not use maven to deploy." ], "result_type": "PASSED" }, @@ -160,6 +168,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -238,10 +257,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -265,10 +292,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/micronaut-core/micronaut-core.json b/tests/e2e/expected_results/micronaut-core/micronaut-core.json index 0c2268077..6994537a9 100644 --- a/tests/e2e/expected_results/micronaut-core/micronaut-core.json +++ b/tests/e2e/expected_results/micronaut-core/micronaut-core.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-09-13 08:44:28" + "timestamps": "2023-09-13 10:04:00" }, "target": { "info": { @@ -746,13 +746,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 2, + "FAILED": 3, "PASSED": 6, "SKIPPED": 0, "UNKNOWN": 1 @@ -850,6 +851,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_witness_level_one_1", "check_description": "Check whether the target has a level-1 witness provenance.", @@ -897,6 +909,10 @@ "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 1 diff --git a/tests/e2e/expected_results/micronaut-core/slf4j.json b/tests/e2e/expected_results/micronaut-core/slf4j.json index 0093d3f8a..1de0884e2 100644 --- a/tests/e2e/expected_results/micronaut-core/slf4j.json +++ b/tests/e2e/expected_results/micronaut-core/slf4j.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:33:32" + "timestamps": "2023-09-12 22:55:15" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 6, + "FAILED": 7, "PASSED": 3, "SKIPPED": 0, "UNKNOWN": 0 @@ -113,6 +117,17 @@ ], "result_type": "FAILED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Check mcn_infer_artifact_pipeline_1 is set to FAILED because mcn_build_as_code_1 FAILED." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -191,10 +206,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -215,10 +238,6 @@ "check_id": "mcn_provenance_level_three_1", "num_deps_pass": 0 }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 - }, { "check_id": "mcn_build_service_1", "num_deps_pass": 0 diff --git a/tests/e2e/expected_results/multibuild_test/multibuild_test.json b/tests/e2e/expected_results/multibuild_test/multibuild_test.json index 27e22539b..4ce642a20 100644 --- a/tests/e2e/expected_results/multibuild_test/multibuild_test.json +++ b/tests/e2e/expected_results/multibuild_test/multibuild_test.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-08-23 18:31:55" + "timestamps": "2023-09-12 17:09:38" }, "target": { "info": { @@ -35,9 +35,12 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "Pretend-to-do-stuff", + "stepID": "Publish Gradle Project" + }, "metadata": { - "buildInvocationId": "https://github.com/timyarkov/multibuild_test/actions/runs/5097947450", + "buildInvocationId": "", "buildStartedOn": "", "buildFinishedOn": "", "completeness": { @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -79,9 +83,7 @@ "The build is triggered by": "https://github.com/timyarkov/multibuild_test/blob/a8b0efe24298bc81f63217aaa84776c3d48976c5/.github/workflows/github-actions-basic.yml" }, "Deploy command: ['gradle', 'publish']", - { - "The status of the build can be seen at": "https://github.com/timyarkov/multibuild_test/actions/runs/5097947450" - }, + "However, could not find a passing workflow run.", "The target repository does not use maven to deploy." ], "result_type": "PASSED" @@ -121,6 +123,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -196,47 +209,51 @@ "unique_dep_repos": 2, "checks_summary": [ { - "check_id": "mcn_build_script_1", - "num_deps_pass": 2 + "check_id": "mcn_provenance_expectation_1", + "num_deps_pass": 0 }, { - "check_id": "mcn_version_control_system_1", - "num_deps_pass": 2 + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 }, { - "check_id": "mcn_build_service_1", - "num_deps_pass": 2 + "check_id": "mcn_provenance_available_1", + "num_deps_pass": 0 }, { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_witness_level_one_1", + "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", - "num_deps_pass": 0 + "check_id": "mcn_version_control_system_1", + "num_deps_pass": 2 }, { - "check_id": "mcn_build_as_code_1", + "check_id": "mcn_trusted_builder_level_three_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_build_script_1", + "num_deps_pass": 2 + }, { "check_id": "mcn_provenance_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_expectation_1", - "num_deps_pass": 0 + "check_id": "mcn_build_service_1", + "num_deps_pass": 2 } ], "dep_status": [ { "id": "org.springframework.boot:spring-boot-starter-thymeleaf", "description": "Analysis Completed.", - "report": "spring-boot.html", + "report": "spring-boot-starter-thymeleaf.html", "status": "AVAILABLE" }, { diff --git a/tests/e2e/expected_results/plot-plugin/plot-plugin.json b/tests/e2e/expected_results/plot-plugin/plot-plugin.json index bd52af38e..faa5f2e95 100644 --- a/tests/e2e/expected_results/plot-plugin/plot-plugin.json +++ b/tests/e2e/expected_results/plot-plugin/plot-plugin.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:11:33" + "timestamps": "2023-09-12 17:07:15" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 6, + "FAILED": 7, "PASSED": 3, "SKIPPED": 0, "UNKNOWN": 0 @@ -155,6 +162,17 @@ ], "result_type": "FAILED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Check mcn_infer_artifact_pipeline_1 is set to FAILED because mcn_build_as_code_1 FAILED." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -233,10 +251,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -260,10 +286,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json b/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json new file mode 100644 index 000000000..d28951558 --- /dev/null +++ b/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json @@ -0,0 +1,255 @@ +{ + "metadata": { + "timestamps": "2023-09-12 16:52:10" + }, + "target": { + "info": { + "full_name": "pkg:maven/com.google.guava/guava@32.1.2-jre?type=jar", + "local_cloned_path": "git_repos/github_com/google/guava", + "remote_path": "https://github.com/google/guava", + "branch": "master", + "commit_hash": "d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4", + "commit_date": "2022-06-16T01:55:17-07:00" + }, + "provenances": { + "is_inferred": true, + "content": { + "github_actions": [ + { + "_type": "https://in-toto.io/Statement/v0.1", + "subject": [], + "predicateType": "https://slsa.dev/provenance/v0.2", + "predicate": { + "builder": { + "id": "https://github.com/google/guava/blob/d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4/./util/deploy_snapshot.sh" + }, + "buildType": "Custom github_actions", + "invocation": { + "configSource": { + "uri": "https://github.com/google/guava@refs/heads/master", + "digest": { + "sha1": "d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4" + }, + "entryPoint": "https://github.com/google/guava/blob/d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4/.github/workflows/ci.yml" + }, + "parameters": {}, + "environment": {} + }, + "buildConfig": { + "jobID": "publish_snapshot", + "stepID": "Publish" + }, + "metadata": { + "buildInvocationId": "", + "buildStartedOn": "", + "buildFinishedOn": "", + "completeness": { + "parameters": "false", + "environment": "false", + "materials": "false" + }, + "reproducible": "false" + }, + "materials": [ + { + "uri": "", + "digest": {} + } + ] + } + } + ], + "Maven Central Registry": [] + } + }, + "checks": { + "summary": { + "DISABLED": 0, + "FAILED": 5, + "PASSED": 5, + "SKIPPED": 0, + "UNKNOWN": 0 + }, + "results": [ + { + "check_id": "mcn_build_as_code_1", + "check_description": "The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + { + "The target repository uses build tool maven to deploy": "https://github.com/google/guava/blob/d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4/./util/deploy_snapshot.sh", + "The build is triggered by": "https://github.com/google/guava/blob/d8633ac8539dae52c8361f79c7a0dbd9ad6dd2c4/.github/workflows/ci.yml" + }, + "Deploy command: ['mvn', 'clean', 'source:jar', 'javadoc:jar', 'deploy', '-DskipTests=true', '\"$@\"']", + "However, could not find a passing workflow run." + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_build_script_1", + "check_description": "Check if the target repo has a valid build script.", + "slsa_requirements": [ + "Scripted Build - SLSA Level 1" + ], + "justification": [ + "Check mcn_build_script_1 is set to PASSED because mcn_build_service_1 PASSED." + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_build_service_1", + "check_description": "Check if the target repo has a valid build service.", + "slsa_requirements": [ + "Build service - SLSA Level 2" + ], + "justification": [ + "Check mcn_build_service_1 is set to PASSED because mcn_build_as_code_1 PASSED." + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + { + "The artifact is potentially published by workflow job 'publish_snapshot' at step 'Publish' triggered by": "https://github.com/google/guava/actions/runs/5719444145" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_version_control_system_1", + "check_description": "Check whether the target repo uses a version control system.", + "slsa_requirements": [ + "Version controlled - SLSA Level 2" + ], + "justification": [ + { + "This is a Git repository": "https://github.com/google/guava" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_provenance_available_1", + "check_description": "Check whether the target has intoto provenance.", + "slsa_requirements": [ + "Provenance - Available - SLSA Level 1", + "Provenance content - Identifies build instructions - SLSA Level 1", + "Provenance content - Identifies artifacts - SLSA Level 1", + "Provenance content - Identifies builder - SLSA Level 1" + ], + "justification": [ + "Could not find any SLSA provenances." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_provenance_expectation_1", + "check_description": "Check whether the SLSA provenance for the produced artifact conforms to the expected value.", + "slsa_requirements": [ + "Provenance conforms with expectations - SLSA Level 3" + ], + "justification": [ + "Check mcn_provenance_expectation_1 is set to FAILED because mcn_provenance_available_1 FAILED." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_provenance_level_three_1", + "check_description": "Check whether the target has SLSA provenance level 3.", + "slsa_requirements": [ + "Provenance - Non falsifiable - SLSA Level 3", + "Provenance content - Includes all build parameters - SLSA Level 3", + "Provenance content - Identifies entry point - SLSA Level 3", + "Provenance content - Identifies source code - SLSA Level 2" + ], + "justification": [ + "Check mcn_provenance_level_three_1 is set to FAILED because mcn_provenance_available_1 FAILED." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "check_description": "Check whether the target has a level-1 witness provenance.", + "slsa_requirements": [ + "Provenance - Available - SLSA Level 1", + "Provenance content - Identifies build instructions - SLSA Level 1", + "Provenance content - Identifies artifacts - SLSA Level 1", + "Provenance content - Identifies builder - SLSA Level 1" + ], + "justification": [ + "Check mcn_provenance_witness_level_one_1 is set to FAILED because mcn_provenance_available_1 FAILED." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_trusted_builder_level_three_1", + "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", + "slsa_requirements": [ + "Hermetic - SLSA Level 4", + "Isolated - SLSA Level 3", + "Parameterless - SLSA Level 4", + "Ephemeral environment - SLSA Level 3" + ], + "justification": [ + "Could not find a trusted level 3 builder as a GitHub Actions workflow." + ], + "result_type": "FAILED" + } + ] + } + }, + "dependencies": { + "analyzed_deps": 0, + "unique_dep_repos": 0, + "checks_summary": [ + { + "check_id": "mcn_provenance_expectation_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_available_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_as_code_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_version_control_system_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_trusted_builder_level_three_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_script_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_level_three_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_service_1", + "num_deps_pass": 0 + } + ], + "dep_status": [] + } +} diff --git a/tests/e2e/expected_results/purl/maven/maven.json b/tests/e2e/expected_results/purl/maven/maven.json index 468950538..833cb74bb 100644 --- a/tests/e2e/expected_results/purl/maven/maven.json +++ b/tests/e2e/expected_results/purl/maven/maven.json @@ -1,11 +1,11 @@ { "metadata": { - "timestamps": "2023-08-23 14:52:50" + "timestamps": "2023-09-12 17:10:37" }, "target": { "info": { "full_name": "pkg:maven/apache/maven", - "local_cloned_path": "../../../../output/git_repos/github_com/apache/maven", + "local_cloned_path": "git_repos/github_com/apache/maven", "remote_path": "https://github.com/apache/maven", "branch": "master", "commit_hash": "6767f2500f1d005924ccff27f04350c253858a84", @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -77,7 +80,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -97,13 +103,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 5, + "FAILED": 6, "PASSED": 4, "SKIPPED": 0, "UNKNOWN": 0 @@ -155,6 +162,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -230,7 +248,7 @@ "unique_dep_repos": 0, "checks_summary": [ { - "check_id": "mcn_version_control_system_1", + "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, { @@ -238,27 +256,31 @@ "num_deps_pass": 0 }, { - "check_id": "mcn_build_as_code_1", + "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_level_three_1", + "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_script_1", + "check_id": "mcn_version_control_system_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_expectation_1", + "check_id": "mcn_trusted_builder_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", + "check_id": "mcn_build_script_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_level_three_1", "num_deps_pass": 0 }, { diff --git a/tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json b/tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json index a86c796eb..d32078220 100644 --- a/tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json +++ b/tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 21:09:08" + "timestamps": "2023-09-12 17:36:00" }, "target": { "info": { @@ -22,44 +22,44 @@ { "name": "slsa-verifier-darwin-amd64", "digest": { - "sha256": "44ae609925c2dddafa45b2f98da62b40abcf739bbbe6f9dc792f3aba6e236e9c" + "sha256": "9e67318937b936014b6127affc14bc45f1fb10d9899b0105877778e8179b3029" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -67,11 +67,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -88,10 +88,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -114,8 +114,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -154,8 +154,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -181,12 +181,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -196,44 +196,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -242,7 +242,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -251,12 +251,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-darwin-amd64" ], @@ -271,7 +271,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -281,13 +281,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -299,44 +299,44 @@ { "name": "slsa-verifier-darwin-arm64", "digest": { - "sha256": "16e028a9306c622aecfc1e286082a2cbdd71418f39054fab98612fcf2ce4716e" + "sha256": "b55009be65f8f6dae4399522e4ab5685a5cfe0b72dca3134f12ba144b8860607" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -344,11 +344,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -365,10 +365,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -391,8 +391,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -431,8 +431,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -458,12 +458,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -473,44 +473,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -519,7 +519,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -528,12 +528,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-darwin-arm64" ], @@ -548,7 +548,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -558,13 +558,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -576,44 +576,44 @@ { "name": "slsa-verifier-linux-amd64", "digest": { - "sha256": "ea687149d658efecda64d69da999efb84bb695a3212f29548d4897994027172d" + "sha256": "9883e4c7fd0fead95815de1533db62d1ae19daf9d333b359e192fc65ffb401b2" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -621,11 +621,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -642,10 +642,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -668,8 +668,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -708,8 +708,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -735,12 +735,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -750,44 +750,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -796,7 +796,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -805,12 +805,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-linux-amd64" ], @@ -825,7 +825,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -835,13 +835,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -853,44 +853,44 @@ { "name": "slsa-verifier-linux-arm64", "digest": { - "sha256": "59cadeaee0705dfe453e487188528a9d18864f95f5b1a34492ff69264692d327" + "sha256": "bb025462acd9e93da32694e3ed82bfa57cb487a28c989a083caf2a3569d3cfbe" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -898,11 +898,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -919,10 +919,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -945,8 +945,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -985,8 +985,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1012,12 +1012,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -1027,44 +1027,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -1073,7 +1073,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -1082,12 +1082,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-linux-arm64" ], @@ -1102,7 +1102,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -1112,13 +1112,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -1130,44 +1130,44 @@ { "name": "slsa-verifier-windows-amd64.exe", "digest": { - "sha256": "2a9e77e97045ba6a3d033011a9fa0ced7dbf60354738420591ec31beaee43830" + "sha256": "a8ea35a4abf450f3828d42cf0b9be3628692508184bec8610a472a7bf4afc843" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -1175,11 +1175,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1196,10 +1196,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -1222,8 +1222,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -1262,8 +1262,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1289,12 +1289,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -1304,44 +1304,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -1350,7 +1350,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -1359,12 +1359,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-windows-amd64.exe" ], @@ -1379,7 +1379,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -1389,13 +1389,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -1407,44 +1407,44 @@ { "name": "slsa-verifier-windows-arm64.exe", "digest": { - "sha256": "2e3713d93662060dbe5116c3e8cdfa4d93b8f33e97ef256fd82b9f0d160eb7ce" + "sha256": "b14cd8228fecabe53e3676ec2d94b53d7aee11f6f5a8dabbe07e840143d48e8d" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.5.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" }, "entryPoint": ".github/workflows/release.yml" }, "parameters": {}, "environment": { "arch": "X64", - "github_actor": "ianlewis", - "github_actor_id": "49289", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "after": "73d1bcba982de0f644baec83df839399d13f472e", "base_ref": "refs/heads/main", "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0", + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "bot@renovateapp.com", - "name": "Mend Renovate", - "username": "renovate-bot" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" }, "committer": { "email": "noreply@github.com", @@ -1452,11 +1452,11 @@ "username": "web-flow" }, "distinct": true, - "id": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", - "message": "chore(deps): update npm dev (#586)\n\nSigned-off-by: Renovate Bot \r\nCo-authored-by: Ian Lewis ", - "timestamp": "2023-05-10T00:48:36Z", - "tree_id": "b35aa02e95c56e048c8b75b62392a9f4ec2bd371", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "id": "73d1bcba982de0f644baec83df839399d13f472e", + "message": "fix: release failure (#697)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-08-24T15:58:45-07:00", + "tree_id": "d2cb05a78e786bae14eb5882770089b68068c12e", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/73d1bcba982de0f644baec83df839399d13f472e" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1473,10 +1473,10 @@ "url": "https://api.github.com/orgs/slsa-framework" }, "pusher": { - "email": "ianlewis@google.com", - "name": "ianlewis" + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" }, - "ref": "refs/tags/v2.3.0", + "ref": "refs/tags/v2.4.0", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", @@ -1499,8 +1499,8 @@ "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", "fork": false, - "forks": 32, - "forks_count": 32, + "forks": 34, + "forks_count": 34, "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", "full_name": "slsa-framework/slsa-verifier", "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", @@ -1539,8 +1539,8 @@ "name": "slsa-verifier", "node_id": "R_kgDOHEMl0g", "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 98, - "open_issues_count": 98, + "open_issues": 119, + "open_issues_count": 119, "organization": "slsa-framework", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", @@ -1566,12 +1566,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1683842480, + "pushed_at": 1692982103, "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 81033, + "size": 89668, "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 104, - "stargazers_count": 104, + "stargazers": 132, + "stargazers_count": 132, "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", @@ -1581,44 +1581,44 @@ "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", "topics": [], "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-05-11T04:14:07Z", + "updated_at": "2023-08-22T02:50:28Z", "url": "https://github.com/slsa-framework/slsa-verifier", "visibility": "public", - "watchers": 104, - "watchers_count": 104, + "watchers": 132, + "watchers_count": 132, "web_commit_signoff_required": true }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/49289?v=4", - "events_url": "https://api.github.com/users/ianlewis/events{/privacy}", - "followers_url": "https://api.github.com/users/ianlewis/followers", - "following_url": "https://api.github.com/users/ianlewis/following{/other_user}", - "gists_url": "https://api.github.com/users/ianlewis/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/ianlewis", - "id": 49289, - "login": "ianlewis", - "node_id": "MDQ6VXNlcjQ5Mjg5", - "organizations_url": "https://api.github.com/users/ianlewis/orgs", - "received_events_url": "https://api.github.com/users/ianlewis/received_events", - "repos_url": "https://api.github.com/users/ianlewis/repos", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/ianlewis/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/ianlewis/subscriptions", + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", "type": "User", - "url": "https://api.github.com/users/ianlewis" + "url": "https://api.github.com/users/laurentsimon" } }, "github_head_ref": "", - "github_ref": "refs/tags/v2.3.0", + "github_ref": "refs/tags/v2.4.0", "github_ref_type": "tag", "github_repository_id": "474162642", "github_repository_owner": "slsa-framework", "github_repository_owner_id": "80431187", "github_run_attempt": "1", - "github_run_id": "4952932038", - "github_run_number": "324", - "github_sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc", + "github_run_id": "5978382772", + "github_run_number": "434", + "github_sha1": "73d1bcba982de0f644baec83df839399d13f472e", "os": "ubuntu22" } }, @@ -1627,7 +1627,7 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "mod", "vendor" ], @@ -1636,12 +1636,12 @@ { "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", "command": [ - "/opt/hostedtoolcache/go/1.18.10/x64/bin/go", + "/opt/hostedtoolcache/go/1.20.7/x64/bin/go", "build", "-mod=vendor", "-trimpath", "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.3.0", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.0", "-o", "slsa-verifier-windows-arm64.exe" ], @@ -1656,7 +1656,7 @@ "version": 1 }, "metadata": { - "buildInvocationID": "4952932038-1", + "buildInvocationID": "5978382772-1", "completeness": { "parameters": true, "environment": false, @@ -1666,13 +1666,13 @@ }, "materials": [ { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.3.0", + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.0", "digest": { - "sha1": "c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc" + "sha1": "73d1bcba982de0f644baec83df839399d13f472e" } }, { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230507.1" + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20230821.1.0" } ] } @@ -1683,7 +1683,7 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 1, + "FAILED": 2, "PASSED": 8, "SKIPPED": 0, "UNKNOWN": 0 @@ -1768,20 +1768,6 @@ ], "result_type": "PASSED" }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "check_description": "Check whether the target has a level-1 witness provenance.", - "slsa_requirements": [ - "Provenance - Available - SLSA Level 1", - "Provenance content - Identifies build instructions - SLSA Level 1", - "Provenance content - Identifies artifacts - SLSA Level 1", - "Provenance content - Identifies builder - SLSA Level 1" - ], - "justification": [ - "Failed to discover any witness provenance." - ], - "result_type": "FAILED" - }, { "check_id": "mcn_trusted_builder_level_three_1", "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", @@ -1811,6 +1797,31 @@ } ], "result_type": "PASSED" + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "check_description": "Check whether the target has a level-1 witness provenance.", + "slsa_requirements": [ + "Provenance - Available - SLSA Level 1", + "Provenance content - Identifies build instructions - SLSA Level 1", + "Provenance content - Identifies artifacts - SLSA Level 1", + "Provenance content - Identifies builder - SLSA Level 1" + ], + "justification": [ + "Failed to discover any witness provenance." + ], + "result_type": "FAILED" } ] } @@ -1823,10 +1834,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -1850,10 +1869,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/tinyMediaManager/tinyMediaManager.json b/tests/e2e/expected_results/tinyMediaManager/tinyMediaManager.json index 26c5745eb..bbe1ada0c 100644 --- a/tests/e2e/expected_results/tinyMediaManager/tinyMediaManager.json +++ b/tests/e2e/expected_results/tinyMediaManager/tinyMediaManager.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 12:28:33" + "timestamps": "2023-09-12 17:07:11" }, "target": { "info": { @@ -35,7 +35,10 @@ "parameters": {}, "environment": {} }, - "buildConfig": {}, + "buildConfig": { + "jobID": "", + "stepID": "" + }, "metadata": { "buildInvocationId": "", "buildStartedOn": "", @@ -55,13 +58,14 @@ ] } } - ] + ], + "Maven Central Registry": [] } }, "checks": { "summary": { "DISABLED": 0, - "FAILED": 7, + "FAILED": 8, "PASSED": 2, "SKIPPED": 0, "UNKNOWN": 0 @@ -74,7 +78,8 @@ "Scripted Build - SLSA Level 1" ], "justification": [ - "The target repository uses build tool maven." + "The target repository uses build tool maven.", + "The target repository uses build tool docker." ], "result_type": "PASSED" }, @@ -98,7 +103,8 @@ "Build as code - SLSA Level 3" ], "justification": [ - "The target repository does not use maven to deploy." + "The target repository does not use maven to deploy.", + "The target repository does not use docker to deploy." ], "result_type": "FAILED" }, @@ -110,10 +116,22 @@ ], "justification": [ "The target repository does not have a build service for maven.", + "The target repository does not have a build service for docker.", "The target repository does not have a build service for at least one build tool." ], "result_type": "FAILED" }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Check mcn_infer_artifact_pipeline_1 is set to FAILED because mcn_build_as_code_1 FAILED." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_available_1", "check_description": "Check whether the target has intoto provenance.", @@ -189,19 +207,19 @@ "unique_dep_repos": 0, "checks_summary": [ { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_level_three_1", + "check_id": "mcn_provenance_witness_level_one_1", "num_deps_pass": 0 }, { - "check_id": "mcn_version_control_system_1", + "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_service_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { @@ -209,19 +227,23 @@ "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", + "check_id": "mcn_version_control_system_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_witness_level_one_1", + "check_id": "mcn_trusted_builder_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_expectation_1", + "check_id": "mcn_build_script_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_script_1", + "check_id": "mcn_provenance_level_three_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_service_1", "num_deps_pass": 0 } ], diff --git a/tests/e2e/expected_results/urllib3/urllib3.json b/tests/e2e/expected_results/urllib3/urllib3.json index 9fab9f184..1a24d23ef 100644 --- a/tests/e2e/expected_results/urllib3/urllib3.json +++ b/tests/e2e/expected_results/urllib3/urllib3.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 03:12:00" + "timestamps": "2023-09-12 20:10:10" }, "target": { "info": { @@ -20,51 +20,51 @@ "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { - "name": "urllib3-2.0.3-py3-none-any.whl", + "name": "urllib3-2.0.4-py3-none-any.whl", "digest": { - "sha256": "48e7fafa40319d358848e1bc6809b208340fafe2096f1725d05d67443d0483d1" + "sha256": "de7df1803967d2c2a98e4b11bb7d6bd9210474c46e8a0401514e3a42a75ebde4" } }, { - "name": "urllib3-2.0.3.tar.gz", + "name": "urllib3-2.0.4.tar.gz", "digest": { - "sha256": "bee28b5e56addb8226c96f7f13ac28cb4c301dd5ea8a6ca179c0b9835e032825" + "sha256": "8d22f86aae8ef5e410d4f539fde9ce6b2113a001bb4d189e0aed70642d602b11" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.6.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.3", + "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.4", "digest": { - "sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" }, "entryPoint": ".github/workflows/publish.yml" }, "parameters": {}, "environment": { - "github_actor": "pquentin", - "github_actor_id": "42327", + "github_actor": "illia-v", + "github_actor_id": "17710133", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "cb04c8e4603e062373fb62958809e4d0c32cef09", + "after": "d267c99f7e890ff22e136c34d29be802d9c2e773", "base_ref": null, "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/urllib3/urllib3/compare/2.0.3", + "compare": "https://github.com/urllib3/urllib3/compare/2.0.4", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "sethmichaellarson@gmail.com", - "name": "Seth Michael Larson", - "username": "sethmlarson" + "email": "64815328+Eutropios@users.noreply.github.com", + "name": "Noah Jenner", + "username": "Eutropios" }, "committer": { "email": "noreply@github.com", @@ -72,11 +72,11 @@ "username": "web-flow" }, "distinct": true, - "id": "92196a0f08b2c2139117546ccfbdd3429eb72469", - "message": "Release 2.0.3", - "timestamp": "2023-06-07T12:13:12+02:00", - "tree_id": "cffe7d9ddbff2e682cded4c146687767b561c5a9", - "url": "https://github.com/urllib3/urllib3/commit/92196a0f08b2c2139117546ccfbdd3429eb72469" + "id": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0", + "message": "Release version 2.0.4 (#3084)\n\nCo-authored-by: Illia Volochii ", + "timestamp": "2023-07-19T17:46:02+03:00", + "tree_id": "e61f50347e7bb803a0c8942ba63fe917c8424f77", + "url": "https://github.com/urllib3/urllib3/commit/c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/26825299?v=4", @@ -93,10 +93,10 @@ "url": "https://api.github.com/orgs/urllib3" }, "pusher": { - "email": "quentin.pradet@gmail.com", - "name": "pquentin" + "email": "illia.volochii@gmail.com", + "name": "illia-v" }, - "ref": "refs/tags/2.0.3", + "ref": "refs/tags/2.0.4", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/urllib3/urllib3/{archive_format}{/ref}", @@ -119,8 +119,8 @@ "downloads_url": "https://api.github.com/repos/urllib3/urllib3/downloads", "events_url": "https://api.github.com/repos/urllib3/urllib3/events", "fork": false, - "forks": 1071, - "forks_count": 1071, + "forks": 1078, + "forks_count": 1078, "forks_url": "https://api.github.com/repos/urllib3/urllib3/forks", "full_name": "urllib3/urllib3", "git_commits_url": "https://api.github.com/repos/urllib3/urllib3/git/commits{/sha}", @@ -159,8 +159,8 @@ "name": "urllib3", "node_id": "MDEwOlJlcG9zaXRvcnkyNDEwNjc2", "notifications_url": "https://api.github.com/repos/urllib3/urllib3/notifications{?since,all,participating}", - "open_issues": 124, - "open_issues_count": 124, + "open_issues": 125, + "open_issues_count": 125, "organization": "urllib3", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/26825299?v=4", @@ -186,12 +186,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/urllib3/urllib3/pulls{/number}", - "pushed_at": 1686132884, + "pushed_at": 1689779927, "releases_url": "https://api.github.com/repos/urllib3/urllib3/releases{/id}", - "size": 7215, + "size": 7242, "ssh_url": "git@github.com:urllib3/urllib3.git", - "stargazers": 3419, - "stargazers_count": 3419, + "stargazers": 3452, + "stargazers_count": 3452, "stargazers_url": "https://api.github.com/repos/urllib3/urllib3/stargazers", "statuses_url": "https://api.github.com/repos/urllib3/urllib3/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/urllib3/urllib3/subscribers", @@ -206,48 +206,48 @@ "urllib3" ], "trees_url": "https://api.github.com/repos/urllib3/urllib3/git/trees{/sha}", - "updated_at": "2023-06-07T06:42:49Z", + "updated_at": "2023-07-19T02:19:14Z", "url": "https://github.com/urllib3/urllib3", "visibility": "public", - "watchers": 3419, - "watchers_count": 3419, + "watchers": 3452, + "watchers_count": 3452, "web_commit_signoff_required": false }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/42327?v=4", - "events_url": "https://api.github.com/users/pquentin/events{/privacy}", - "followers_url": "https://api.github.com/users/pquentin/followers", - "following_url": "https://api.github.com/users/pquentin/following{/other_user}", - "gists_url": "https://api.github.com/users/pquentin/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/17710133?v=4", + "events_url": "https://api.github.com/users/illia-v/events{/privacy}", + "followers_url": "https://api.github.com/users/illia-v/followers", + "following_url": "https://api.github.com/users/illia-v/following{/other_user}", + "gists_url": "https://api.github.com/users/illia-v/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/pquentin", - "id": 42327, - "login": "pquentin", - "node_id": "MDQ6VXNlcjQyMzI3", - "organizations_url": "https://api.github.com/users/pquentin/orgs", - "received_events_url": "https://api.github.com/users/pquentin/received_events", - "repos_url": "https://api.github.com/users/pquentin/repos", + "html_url": "https://github.com/illia-v", + "id": 17710133, + "login": "illia-v", + "node_id": "MDQ6VXNlcjE3NzEwMTMz", + "organizations_url": "https://api.github.com/users/illia-v/orgs", + "received_events_url": "https://api.github.com/users/illia-v/received_events", + "repos_url": "https://api.github.com/users/illia-v/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/pquentin/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/pquentin/subscriptions", + "starred_url": "https://api.github.com/users/illia-v/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/illia-v/subscriptions", "type": "User", - "url": "https://api.github.com/users/pquentin" + "url": "https://api.github.com/users/illia-v" } }, "github_head_ref": "", - "github_ref": "refs/tags/2.0.3", + "github_ref": "refs/tags/2.0.4", "github_ref_type": "tag", "github_repository_id": "2410676", "github_repository_owner": "urllib3", "github_repository_owner_id": "26825299", "github_run_attempt": "1", - "github_run_id": "5198755918", - "github_run_number": "19", - "github_sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "github_run_id": "5600993171", + "github_run_number": "21", + "github_sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" } }, "metadata": { - "buildInvocationID": "5198755918-1", + "buildInvocationID": "5600993171-1", "completeness": { "parameters": true, "environment": false, @@ -257,9 +257,9 @@ }, "materials": [ { - "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.3", + "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.4", "digest": { - "sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" } } ] @@ -271,7 +271,7 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 2, + "FAILED": 3, "PASSED": 7, "SKIPPED": 0, "UNKNOWN": 0 @@ -352,10 +352,34 @@ ], "justification": [ "Successfully verified level 3: ", - "verify passed: urllib3-2.0.3-py3-none-any.whl,verify passed: urllib3-2.0.3.tar.gz" + "verify passed : urllib3-2.0.4-py3-none-any.whl,verify passed : urllib3-2.0.4.tar.gz" ], "result_type": "PASSED" }, + { + "check_id": "mcn_version_control_system_1", + "check_description": "Check whether the target repo uses a version control system.", + "slsa_requirements": [ + "Version controlled - SLSA Level 2" + ], + "justification": [ + { + "This is a Git repository": "https://github.com/urllib3/urllib3" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_witness_level_one_1", "check_description": "Check whether the target has a level-1 witness provenance.", @@ -370,19 +394,6 @@ ], "result_type": "FAILED" }, - { - "check_id": "mcn_version_control_system_1", - "check_description": "Check whether the target repo uses a version control system.", - "slsa_requirements": [ - "Version controlled - SLSA Level 2" - ], - "justification": [ - { - "This is a Git repository": "https://github.com/urllib3/urllib3" - } - ], - "result_type": "PASSED" - }, { "check_id": "mcn_trusted_builder_level_three_1", "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", @@ -408,10 +419,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -435,10 +454,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/e2e/expected_results/urllib3/urllib3_cue_invalid.json b/tests/e2e/expected_results/urllib3/urllib3_cue_invalid.json index 5e087a0fc..b41112913 100644 --- a/tests/e2e/expected_results/urllib3/urllib3_cue_invalid.json +++ b/tests/e2e/expected_results/urllib3/urllib3_cue_invalid.json @@ -1,6 +1,6 @@ { "metadata": { - "timestamps": "2023-07-08 21:42:11" + "timestamps": "2023-09-12 17:36:12" }, "target": { "info": { @@ -20,51 +20,51 @@ "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { - "name": "urllib3-2.0.3-py3-none-any.whl", + "name": "urllib3-2.0.4-py3-none-any.whl", "digest": { - "sha256": "48e7fafa40319d358848e1bc6809b208340fafe2096f1725d05d67443d0483d1" + "sha256": "de7df1803967d2c2a98e4b11bb7d6bd9210474c46e8a0401514e3a42a75ebde4" } }, { - "name": "urllib3-2.0.3.tar.gz", + "name": "urllib3-2.0.4.tar.gz", "digest": { - "sha256": "bee28b5e56addb8226c96f7f13ac28cb4c301dd5ea8a6ca179c0b9835e032825" + "sha256": "8d22f86aae8ef5e410d4f539fde9ce6b2113a001bb4d189e0aed70642d602b11" } } ], "predicate": { "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.6.0" + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0" }, "buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1", "invocation": { "configSource": { - "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.3", + "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.4", "digest": { - "sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" }, "entryPoint": ".github/workflows/publish.yml" }, "parameters": {}, "environment": { - "github_actor": "pquentin", - "github_actor_id": "42327", + "github_actor": "illia-v", + "github_actor_id": "17710133", "github_base_ref": "", "github_event_name": "push", "github_event_payload": { - "after": "cb04c8e4603e062373fb62958809e4d0c32cef09", + "after": "d267c99f7e890ff22e136c34d29be802d9c2e773", "base_ref": null, "before": "0000000000000000000000000000000000000000", "commits": [], - "compare": "https://github.com/urllib3/urllib3/compare/2.0.3", + "compare": "https://github.com/urllib3/urllib3/compare/2.0.4", "created": true, "deleted": false, "forced": false, "head_commit": { "author": { - "email": "sethmichaellarson@gmail.com", - "name": "Seth Michael Larson", - "username": "sethmlarson" + "email": "64815328+Eutropios@users.noreply.github.com", + "name": "Noah Jenner", + "username": "Eutropios" }, "committer": { "email": "noreply@github.com", @@ -72,11 +72,11 @@ "username": "web-flow" }, "distinct": true, - "id": "92196a0f08b2c2139117546ccfbdd3429eb72469", - "message": "Release 2.0.3", - "timestamp": "2023-06-07T12:13:12+02:00", - "tree_id": "cffe7d9ddbff2e682cded4c146687767b561c5a9", - "url": "https://github.com/urllib3/urllib3/commit/92196a0f08b2c2139117546ccfbdd3429eb72469" + "id": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0", + "message": "Release version 2.0.4 (#3084)\n\nCo-authored-by: Illia Volochii ", + "timestamp": "2023-07-19T17:46:02+03:00", + "tree_id": "e61f50347e7bb803a0c8942ba63fe917c8424f77", + "url": "https://github.com/urllib3/urllib3/commit/c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" }, "organization": { "avatar_url": "https://avatars.githubusercontent.com/u/26825299?v=4", @@ -93,10 +93,10 @@ "url": "https://api.github.com/orgs/urllib3" }, "pusher": { - "email": "quentin.pradet@gmail.com", - "name": "pquentin" + "email": "illia.volochii@gmail.com", + "name": "illia-v" }, - "ref": "refs/tags/2.0.3", + "ref": "refs/tags/2.0.4", "repository": { "allow_forking": true, "archive_url": "https://api.github.com/repos/urllib3/urllib3/{archive_format}{/ref}", @@ -119,8 +119,8 @@ "downloads_url": "https://api.github.com/repos/urllib3/urllib3/downloads", "events_url": "https://api.github.com/repos/urllib3/urllib3/events", "fork": false, - "forks": 1071, - "forks_count": 1071, + "forks": 1078, + "forks_count": 1078, "forks_url": "https://api.github.com/repos/urllib3/urllib3/forks", "full_name": "urllib3/urllib3", "git_commits_url": "https://api.github.com/repos/urllib3/urllib3/git/commits{/sha}", @@ -159,8 +159,8 @@ "name": "urllib3", "node_id": "MDEwOlJlcG9zaXRvcnkyNDEwNjc2", "notifications_url": "https://api.github.com/repos/urllib3/urllib3/notifications{?since,all,participating}", - "open_issues": 124, - "open_issues_count": 124, + "open_issues": 125, + "open_issues_count": 125, "organization": "urllib3", "owner": { "avatar_url": "https://avatars.githubusercontent.com/u/26825299?v=4", @@ -186,12 +186,12 @@ }, "private": false, "pulls_url": "https://api.github.com/repos/urllib3/urllib3/pulls{/number}", - "pushed_at": 1686132884, + "pushed_at": 1689779927, "releases_url": "https://api.github.com/repos/urllib3/urllib3/releases{/id}", - "size": 7215, + "size": 7242, "ssh_url": "git@github.com:urllib3/urllib3.git", - "stargazers": 3419, - "stargazers_count": 3419, + "stargazers": 3452, + "stargazers_count": 3452, "stargazers_url": "https://api.github.com/repos/urllib3/urllib3/stargazers", "statuses_url": "https://api.github.com/repos/urllib3/urllib3/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/urllib3/urllib3/subscribers", @@ -206,48 +206,48 @@ "urllib3" ], "trees_url": "https://api.github.com/repos/urllib3/urllib3/git/trees{/sha}", - "updated_at": "2023-06-07T06:42:49Z", + "updated_at": "2023-07-19T02:19:14Z", "url": "https://github.com/urllib3/urllib3", "visibility": "public", - "watchers": 3419, - "watchers_count": 3419, + "watchers": 3452, + "watchers_count": 3452, "web_commit_signoff_required": false }, "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/42327?v=4", - "events_url": "https://api.github.com/users/pquentin/events{/privacy}", - "followers_url": "https://api.github.com/users/pquentin/followers", - "following_url": "https://api.github.com/users/pquentin/following{/other_user}", - "gists_url": "https://api.github.com/users/pquentin/gists{/gist_id}", + "avatar_url": "https://avatars.githubusercontent.com/u/17710133?v=4", + "events_url": "https://api.github.com/users/illia-v/events{/privacy}", + "followers_url": "https://api.github.com/users/illia-v/followers", + "following_url": "https://api.github.com/users/illia-v/following{/other_user}", + "gists_url": "https://api.github.com/users/illia-v/gists{/gist_id}", "gravatar_id": "", - "html_url": "https://github.com/pquentin", - "id": 42327, - "login": "pquentin", - "node_id": "MDQ6VXNlcjQyMzI3", - "organizations_url": "https://api.github.com/users/pquentin/orgs", - "received_events_url": "https://api.github.com/users/pquentin/received_events", - "repos_url": "https://api.github.com/users/pquentin/repos", + "html_url": "https://github.com/illia-v", + "id": 17710133, + "login": "illia-v", + "node_id": "MDQ6VXNlcjE3NzEwMTMz", + "organizations_url": "https://api.github.com/users/illia-v/orgs", + "received_events_url": "https://api.github.com/users/illia-v/received_events", + "repos_url": "https://api.github.com/users/illia-v/repos", "site_admin": false, - "starred_url": "https://api.github.com/users/pquentin/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/pquentin/subscriptions", + "starred_url": "https://api.github.com/users/illia-v/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/illia-v/subscriptions", "type": "User", - "url": "https://api.github.com/users/pquentin" + "url": "https://api.github.com/users/illia-v" } }, "github_head_ref": "", - "github_ref": "refs/tags/2.0.3", + "github_ref": "refs/tags/2.0.4", "github_ref_type": "tag", "github_repository_id": "2410676", "github_repository_owner": "urllib3", "github_repository_owner_id": "26825299", "github_run_attempt": "1", - "github_run_id": "5198755918", - "github_run_number": "19", - "github_sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "github_run_id": "5600993171", + "github_run_number": "21", + "github_sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" } }, "metadata": { - "buildInvocationID": "5198755918-1", + "buildInvocationID": "5600993171-1", "completeness": { "parameters": true, "environment": false, @@ -257,9 +257,9 @@ }, "materials": [ { - "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.3", + "uri": "git+https://github.com/urllib3/urllib3@refs/tags/2.0.4", "digest": { - "sha1": "92196a0f08b2c2139117546ccfbdd3429eb72469" + "sha1": "c9fa144545eedb5dc4a2cc3f255e95602a1d7db0" } } ] @@ -271,7 +271,7 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 2, + "FAILED": 3, "PASSED": 6, "SKIPPED": 0, "UNKNOWN": 1 @@ -352,10 +352,34 @@ ], "justification": [ "Successfully verified level 3: ", - "verify passed : urllib3-2.0.3-py3-none-any.whl,verify passed : urllib3-2.0.3.tar.gz" + "verify passed : urllib3-2.0.4-py3-none-any.whl,verify passed : urllib3-2.0.4.tar.gz" ], "result_type": "PASSED" }, + { + "check_id": "mcn_version_control_system_1", + "check_description": "Check whether the target repo uses a version control system.", + "slsa_requirements": [ + "Version controlled - SLSA Level 2" + ], + "justification": [ + { + "This is a Git repository": "https://github.com/urllib3/urllib3" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_provenance_witness_level_one_1", "check_description": "Check whether the target has a level-1 witness provenance.", @@ -370,19 +394,6 @@ ], "result_type": "FAILED" }, - { - "check_id": "mcn_version_control_system_1", - "check_description": "Check whether the target repo uses a version control system.", - "slsa_requirements": [ - "Version controlled - SLSA Level 2" - ], - "justification": [ - { - "This is a Git repository": "https://github.com/urllib3/urllib3" - } - ], - "result_type": "PASSED" - }, { "check_id": "mcn_trusted_builder_level_three_1", "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", @@ -408,10 +419,18 @@ "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, { "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 @@ -435,10 +454,6 @@ { "check_id": "mcn_build_service_1", "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 } ], "dep_status": [] diff --git a/tests/slsa_analyzer/checks/test_build_as_code_check.py b/tests/slsa_analyzer/checks/test_build_as_code_check.py index 653e69abf..f07dc45ac 100644 --- a/tests/slsa_analyzer/checks/test_build_as_code_check.py +++ b/tests/slsa_analyzer/checks/test_build_as_code_check.py @@ -42,7 +42,14 @@ def test_build_as_code_check( """Test the Build As Code Check.""" check = BuildAsCodeCheck() check_result = CheckResult(justification=[], result_tables=[]) # type: ignore - bash_commands = BashCommands(caller_path="source_file", CI_path="ci_file", CI_type="github_actions", commands=[[]]) + bash_commands = BashCommands( + caller_path="source_file", + CI_path="ci_file", + CI_type="github_actions", + commands=[[]], + job_name="job", + step_name="step", + ) ci_info = CIInfo( service=github_actions_service, bash_commands=[bash_commands], @@ -302,6 +309,8 @@ def test_multibuild_facts_saved( CI_path="ci_file", CI_type="github_actions", commands=[["./gradlew", "publishToSonatype"], ["mvn", "deploy"]], + job_name="job", + step_name="step", ) check_result = CheckResult(justification=[], result_tables=[]) # type: ignore ci_info = CIInfo( diff --git a/tests/slsa_analyzer/checks/test_build_service_check.py b/tests/slsa_analyzer/checks/test_build_service_check.py index c615c019e..c633f01d5 100644 --- a/tests/slsa_analyzer/checks/test_build_service_check.py +++ b/tests/slsa_analyzer/checks/test_build_service_check.py @@ -58,7 +58,12 @@ def test_build_service_check(self) -> None: gitlab_ci.load_defaults() bash_commands = BashCommands( - caller_path="source_file", CI_path="ci_file", CI_type="github_actions", commands=[[]] + caller_path="source_file", + CI_path="ci_file", + CI_type="github_actions", + commands=[[]], + job_name="job", + step_name="step", ) ci_info = CIInfo( service=github_actions, @@ -244,6 +249,8 @@ def test_multibuild_facts_saved(self) -> None: CI_path="ci_file", CI_type="github_actions", commands=[["./gradlew", "build"], ["mvn", "package"]], + job_name="job", + step_name="step", ) ci_info = CIInfo( service=github_actions, diff --git a/tests/slsa_analyzer/checks/test_infer_artifact_pipeline.py b/tests/slsa_analyzer/checks/test_infer_artifact_pipeline.py new file mode 100644 index 000000000..923b8c7c7 --- /dev/null +++ b/tests/slsa_analyzer/checks/test_infer_artifact_pipeline.py @@ -0,0 +1,31 @@ +# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""This module contains tests for the Infer ArtiFact Pipeline check.""" + +from pathlib import Path + +import pytest + +from macaron.database.table_definitions import Repository +from macaron.slsa_analyzer.checks.check_result import CheckResult, CheckResultType +from macaron.slsa_analyzer.checks.infer_artifact_pipeline_check import InferArtifactPipelineCheck +from tests.conftest import MockAnalyzeContext + + +@pytest.mark.parametrize( + ("repository", "expected"), + [ + (None, CheckResultType.FAILED), + (Repository(complete_name="github.com/package-url/purl-spec"), CheckResultType.FAILED), + ], +) +def test_infer_artifact_pipeline(macaron_path: Path, repository: Repository, expected: str) -> None: + """Test that the check handles repositories correctly.""" + check = InferArtifactPipelineCheck() + check_result = CheckResult(justification=[]) # type: ignore + + # Set up the context object with provenances. + ctx = MockAnalyzeContext(macaron_path=macaron_path, output_dir="") + ctx.component.repository = repository + assert check.run_check(ctx, check_result) == expected