feat: sub-argument matching for arguments in build as code and build service

Signed-off-by: Tim Yarkov <[email protected]>

Author: timyarkov

src/macaron/slsa_analyzer/checks/build_as_code_check.py

@@ -120,11 +120,27 @@ def _has_deploy_command(self, commands: list[list[str]], build_tool: BaseBuildTo
                     logger.info("No deploy arguments required. Accept %s as deploy command.", str(com))
                     return str(com)
 
-                for word in com[(prog_name_index + 1) :]:
+                for i, word in enumerate(com[(prog_name_index + 1) :]):
                     # TODO: allow plugin versions in arguments, e.g., maven-plugin:1.6.8:deploy.
                     if word in build_tool.deploy_arg:
                         logger.info("Found deploy command %s.", str(com))
                         return str(com)
+
+                    # Check all required deploy arguments match
+                    for arg in build_tool.deploy_arg:
+                        match = True
+
+                        for deploy_sub, com_sub in zip(com[i + 1 :], arg.split(" ")):
+                            if deploy_sub != com_sub:
+                                match = False
+                                break
+
+                        if match:
+                            logger.info("Found deploy command %s.", str(com))
+                            return str(com)
+
+                return ""
+
         return ""
 
     def _check_build_tool(

src/macaron/slsa_analyzer/checks/build_service_check.py

@@ -110,11 +110,27 @@ def _has_build_command(self, commands: list[list[str]], build_tool: BaseBuildToo
                 if not build_tool.build_arg:
                     logger.info("No build arguments required. Accept %s as build command.", str(com))
                     return str(com)
-                for word in com[(prog_name_index + 1) :]:
-                    # TODO: allow plugin versions in arguments, e.g., maven-plugin:1.6.8:package.
+
+                for i, word in enumerate(com[(prog_name_index + 1) :]):
+                    # TODO: allow plugin versions in arguments, e.g., maven-plugin:1.6.8:deploy.
                     if word in build_tool.build_arg:
-                        logger.info("Found build command %s.", str(com))
+                        logger.info("Found deploy command %s.", str(com))
                         return str(com)
+
+                    # Check all required deploy arguments match
+                    for arg in build_tool.build_arg:
+                        match = True
+
+                        for build_sub, com_sub in zip(com[i + 1 :], arg.split(" ")):
+                            if build_sub != com_sub:
+                                match = False
+                                break
+
+                        if match:
+                            logger.info("Found deploy command %s.", str(com))
+                            return str(com)
+
+                return ""
         return ""
 
     def _check_build_tool(

tests/slsa_analyzer/checks/test_build_as_code_check.py

@@ -16,6 +16,7 @@
 from macaron.slsa_analyzer.build_tool.maven import Maven
 from macaron.slsa_analyzer.build_tool.pip import Pip
 from macaron.slsa_analyzer.build_tool.poetry import Poetry
+from macaron.slsa_analyzer.build_tool.yarn import Yarn
 from macaron.slsa_analyzer.checks.build_as_code_check import BuildAsCodeCheck
 from macaron.slsa_analyzer.checks.check_result import CheckResult, CheckResultType
 from macaron.slsa_analyzer.ci_service.circleci import CircleCI
@@ -33,6 +34,7 @@ def test_build_as_code_check(
     gradle_tool: Gradle,
     poetry_tool: Poetry,
     pip_tool: Pip,
+    yarn_tool: Yarn,
     github_actions_service: GitHubActions,
     jenkins_service: Jenkins,
     travis_service: Travis,
@@ -187,6 +189,13 @@ def test_build_as_code_check(
     multi_deploy.dynamic_data["ci_services"] = [ci_info]
     assert check.run_check(multi_deploy, check_result) == CheckResultType.PASSED
 
+    # Using Yarn with multi-word deploy command
+    multi_deploy = MockAnalyzeContext(macaron_path=macaron_path, output_dir="")
+    multi_deploy.dynamic_data["build_spec"]["tools"] = [yarn_tool]
+    bash_commands["commands"] = [["yarn", "npm", "publish"]]
+    multi_deploy.dynamic_data["ci_services"] = [ci_info]
+    assert check.run_check(multi_deploy, check_result) == CheckResultType.PASSED
+
     # Using both gradle and maven, but maven incorrect (singular failure in a list)
     multi_deploy = MockAnalyzeContext(macaron_path=macaron_path, output_dir="")
     multi_deploy.dynamic_data["build_spec"]["tools"] = [gradle_tool, maven_tool]