chore: address PR comments

Signed-off-by: behnazh-w <[email protected]>

src/macaron/repo_finder/provenance_extractor.py

@@ -412,9 +412,6 @@ class SLSAGithubGenericBuildDefinitionV01(ProvenanceBuildDefinition):
     def get_build_invocation(self, statement: InTotoV01Statement | InTotoV1Statement) -> tuple[str | None, str | None]:
         """Retrieve the build invocation information from the given statement.
 
-        This method is intended to be implemented by subclasses to extract
-        specific invocation details from a provenance statement.
-
         Parameters
         ----------
         statement : InTotoV1Statement | InTotoV01Statement
@@ -456,9 +453,6 @@ class SLSAGithubActionsBuildDefinitionV1(ProvenanceBuildDefinition):
     def get_build_invocation(self, statement: InTotoV01Statement | InTotoV1Statement) -> tuple[str | None, str | None]:
         """Retrieve the build invocation information from the given statement.
 
-        This method is intended to be implemented by subclasses to extract
-        specific invocation details from a provenance statement.
-
         Parameters
         ----------
         statement : InTotoV1Statement | InTotoV01Statement
@@ -496,9 +490,6 @@ class SLSANPMCLIBuildDefinitionV2(ProvenanceBuildDefinition):
     def get_build_invocation(self, statement: InTotoV01Statement | InTotoV1Statement) -> tuple[str | None, str | None]:
         """Retrieve the build invocation information from the given statement.
 
-        This method is intended to be implemented by subclasses to extract
-        specific invocation details from a provenance statement.
-
         Parameters
         ----------
         statement : InTotoV1Statement | InTotoV01Statement
@@ -540,9 +531,6 @@ class SLSAGCBBuildDefinitionV1(ProvenanceBuildDefinition):
     def get_build_invocation(self, statement: InTotoV01Statement | InTotoV1Statement) -> tuple[str | None, str | None]:
         """Retrieve the build invocation information from the given statement.
 
-        This method is intended to be implemented by subclasses to extract
-        specific invocation details from a provenance statement.
-
         Parameters
         ----------
         statement : InTotoV1Statement | InTotoV01Statement
@@ -576,9 +564,6 @@ class SLSAOCIBuildDefinitionV1(ProvenanceBuildDefinition):
     def get_build_invocation(self, statement: InTotoV01Statement | InTotoV1Statement) -> tuple[str | None, str | None]:
         """Retrieve the build invocation information from the given statement.
 
-        This method is intended to be implemented by subclasses to extract
-        specific invocation details from a provenance statement.
-
         Parameters
         ----------
         statement : InTotoV1Statement | InTotoV01Statement
@@ -613,9 +598,6 @@ class WitnessGitLabBuildDefinitionV01(ProvenanceBuildDefinition):
     def get_build_invocation(self, statement: InTotoV01Statement | InTotoV1Statement) -> tuple[str | None, str | None]:
         """Retrieve the build invocation information from the given statement.
 
-        This method is intended to be implemented by subclasses to extract
-        specific invocation details from a provenance statement.
-
         Parameters
         ----------
         statement : InTotoV1Statement | InTotoV01Statement
@@ -666,6 +648,7 @@ def get_build_type(statement: InTotoV1Statement | InTotoV01Statement) -> str | N
         if statement["predicate"] is None:
             return None
 
+        # Different build provenances might store the buildType field in different sections.
         if build_type := json_extract(statement["predicate"], ["buildType"], str):
             return build_type
 
@@ -695,6 +678,9 @@ def find_build_def(statement: InTotoV01Statement | InTotoV1Statement) -> Provena
             Raised when the build definition cannot be found in the provenance statement.
         """
         build_type = ProvenancePredicate.get_build_type(statement)
+        if build_type is None:
+            raise ProvenanceError("Unable to find buildType in the provenance statement.")
+
         build_defs: list[ProvenanceBuildDefinition] = [
             SLSAGithubGenericBuildDefinitionV01(),
             SLSAGithubActionsBuildDefinitionV1(),

src/macaron/repo_finder/repo_finder_deps_dev.py

@@ -125,7 +125,7 @@ def _create_urls(self, purl: PackageURL) -> list[str]:
             The list of created URLs.
         """
         # See https://docs.deps.dev/api/v3alpha/
-        base_url = f"https://api.deps.dev/v3alpha/purl/{encode(str(purl)).replace('/', '%2F')}"
+        base_url = f"https://api.deps.dev/v3alpha/purl/{encode(str(purl), safe='')}"
 
         if not base_url:
             return []

src/macaron/slsa_analyzer/checks/build_as_code_check.py

@@ -169,7 +169,7 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
                                 job = callee.caller
 
                                 # We always expect the caller of the node that calls a third-party
-                                # or Reusable GitHub Action to be be a GitHubJobNode.
+                                # or Reusable GitHub Action to be a GitHubJobNode.
                                 if not isinstance(job, GitHubJobNode):
                                     continue
 

src/macaron/slsa_analyzer/ci_service/github_actions/github_actions_ci.py

@@ -451,7 +451,7 @@ def workflow_run_deleted(self, timestamp: datetime) -> bool:
         # TODO: change this check if this issue is resolved:
         # https://github.com/orgs/community/discussions/138249
         if datetime.now(timezone.utc) - timedelta(days=400) > timestamp:
-            logger.debug("Artifact published at %s is older than 410 days.", timestamp)
+            logger.debug("Artifact published at %s is older than 400 days.", timestamp)
             return True
 
         return False

src/macaron/slsa_analyzer/package_registry/maven_central_registry.py

@@ -214,6 +214,10 @@ def find_publish_timestamp(self, purl: str, registry_url: str | None = None) ->
             purl_object = PackageURL.from_string(purl)
         except ValueError as error:
             logger.debug("Could not parse PURL: %s", error)
+
+        if not purl_object.version:
+            raise InvalidHTTPResponseError("The PackageURL of the software component misses version.")
+
         query_params = [f"q=g:{purl_object.namespace}", f"a:{purl_object.name}", f"v:{purl_object.version}"]
 
         try:
@@ -230,7 +234,7 @@ def find_publish_timestamp(self, purl: str, registry_url: str | None = None) ->
             raise InvalidHTTPResponseError("Failed to construct the search URL for Maven Central.") from error
 
         response = send_get_http_raw(url, headers=None, timeout=self.request_timeout)
-        if response and response.status_code == 200:
+        if response:
             try:
                 res_obj = response.json()
             except requests.exceptions.JSONDecodeError as error:

src/macaron/slsa_analyzer/package_registry/package_registry.py

@@ -88,7 +88,7 @@ def find_publish_timestamp(self, purl: str, registry_url: str | None = None) ->
         # is available for subsequent processing.
 
         base_url_parsed = urllib.parse.urlparse(registry_url or "https://api.deps.dev")
-        path_params = "/".join(["v3alpha", "purl", encode(purl).replace("/", "%2F")])
+        path_params = "/".join(["v3alpha", "purl", encode(purl, safe="")])
         try:
             url = urllib.parse.urlunsplit(
                 urllib.parse.SplitResult(
@@ -118,8 +118,8 @@ def find_publish_timestamp(self, purl: str, registry_url: str | None = None) ->
             logger.debug("Found timestamp: %s.", timestamp)
 
             try:
-                return datetime.fromisoformat(timestamp.replace("Z", "+00:00"))
-            except (OverflowError, OSError) as error:
+                return datetime.fromisoformat(timestamp)
+            except ValueError as error:
                 raise InvalidHTTPResponseError(f"The timestamp returned by {url} is invalid") from error
 
         raise InvalidHTTPResponseError(f"Invalid response from deps.dev for {url}.")