Skip to content

Commit 96de341

Browse files
timyarkovtimyarkov
committed
feat: pnpm added to npm spec
Signed-off-by: Tim Yarkov <[email protected]>
1 parent 754cb1c commit 96de341

File tree

4 files changed

+270
-3
lines changed

4 files changed

+270
-3
lines changed

scripts/dev_scripts/integration_tests.sh

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,16 @@ $RUN_MACARON analyze -rp https://github.com/uiv-lib/uiv -b dev -d 057b25b4db0913
110110

111111
python $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail
112112

113+
echo -e "\n----------------------------------------------------------------------------------"
114+
echo "onu-ui/onu-ui: Analysing the repo path, the branch name and the commit digest for a pnpm project,"
115+
echo "skipping dependency resolution."
116+
echo -e "----------------------------------------------------------------------------------\n"
117+
JSON_EXPECTED=$WORKSPACE/tests/e2e/expected_results/onu-ui/onu-ui.json
118+
JSON_RESULT=$WORKSPACE/output/reports/github_com/onu-ui/onu-ui/onu-ui.json
119+
$RUN_MACARON analyze -rp https://github.com/onu-ui/onu-ui -b main -d e3f2825c3940002a920d65476116a64684b3d95e --skip-deps || log_fail
120+
121+
python $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail
122+
113123
echo -e "\n----------------------------------------------------------------------------------"
114124
echo "facebook/yoga: Analysing the repo path, the branch name and the commit digest for a Yarn classic"
115125
echo "project, skipping dependency resolution."

src/macaron/config/defaults.ini

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -319,15 +319,19 @@ github_actions =
319319
docker/build-push-action
320320

321321
# This is the spec for trusted NPM build tool usages.
322+
# This also includes the spec for pnpm, since for the purposes of this program
323+
# they work more or less the same.
322324
[builder.npm]
323325
entry_conf =
324326
.npmrc
325327
build_configs =
326328
package.json
327329
package_lock =
328330
package-lock.json
331+
pnpm-lock.yaml
329332
builder =
330333
npm
334+
pnpm
331335
# Build args not defined since npm build is just a plumbing command https://docs.npmjs.com/cli/v6/commands/npm-build
332336
# and SLSA v1.0 removes the scripted build requirement https://slsa.dev/spec/v1.0/requirements
333337
build_arg =

src/macaron/slsa_analyzer/build_tool/npm.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33

44
"""This module contains the NPM class which inherits BaseBuildTool.
55
6-
This module is used to work with repositories that use NPM as its
6+
This module is used to work with repositories that use npm/pnpm as its
77
build tool.
88
"""
99

@@ -13,7 +13,7 @@
1313

1414

1515
class NPM(BaseBuildTool):
16-
"""This class contains the information of the NPM build tool."""
16+
"""This class contains the information of the npm/pnpm build tool."""
1717

1818
def __init__(self) -> None:
1919
super().__init__(name="npm")
@@ -56,7 +56,7 @@ def is_detected(self, repo_path: str) -> bool:
5656
def prepare_config_files(self, wrapper_path: str, build_dir: str) -> bool:
5757
"""Prepare the necessary wrapper files for running the build.
5858
59-
NPM doesn't require preparation, so return true.
59+
npm/pnpm doesn't require preparation, so return true.
6060
6161
Parameters
6262
----------

tests/e2e/expected_results/onu-ui/onu-ui.json

Lines changed: 253 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,253 @@
1+
{
2+
"metadata": {
3+
"timestamps": "2023-09-30 15:56:04"
4+
},
5+
"target": {
6+
"info": {
7+
"full_name": "pkg:github.com/onu-ui/onu-ui@e3f2825c3940002a920d65476116a64684b3d95e",
8+
"local_cloned_path": "git_repos/github_com/onu-ui/onu-ui",
9+
"remote_path": "https://github.com/onu-ui/onu-ui",
10+
"branch": "main",
11+
"commit_hash": "e3f2825c3940002a920d65476116a64684b3d95e",
12+
"commit_date": "2023-09-29T19:41:13+08:00"
13+
},
14+
"provenances": {
15+
"is_inferred": true,
16+
"content": {
17+
"github_actions": [
18+
{
19+
"_type": "https://in-toto.io/Statement/v0.1",
20+
"subject": [],
21+
"predicateType": "https://slsa.dev/provenance/v0.2",
22+
"predicate": {
23+
"builder": {
24+
"id": "https://github.com/onu-ui/onu-ui/blob/e3f2825c3940002a920d65476116a64684b3d95e/.github/workflows/release.yml"
25+
},
26+
"buildType": "Custom github_actions",
27+
"invocation": {
28+
"configSource": {
29+
"uri": "https://github.com/onu-ui/onu-ui@refs/heads/main",
30+
"digest": {
31+
"sha1": "e3f2825c3940002a920d65476116a64684b3d95e"
32+
},
33+
"entryPoint": "https://github.com/onu-ui/onu-ui/blob/e3f2825c3940002a920d65476116a64684b3d95e/.github/workflows/release.yml"
34+
},
35+
"parameters": {},
36+
"environment": {}
37+
},
38+
"buildConfig": {
39+
"jobID": "release",
40+
"stepID": "Publish to npm"
41+
},
42+
"metadata": {
43+
"buildInvocationId": "",
44+
"buildStartedOn": "<TIMESTAMP>",
45+
"buildFinishedOn": "<TIMESTAMP>",
46+
"completeness": {
47+
"parameters": "false",
48+
"environment": "false",
49+
"materials": "false"
50+
},
51+
"reproducible": "false"
52+
},
53+
"materials": [
54+
{
55+
"uri": "<URI>",
56+
"digest": {}
57+
}
58+
]
59+
}
60+
}
61+
]
62+
}
63+
},
64+
"checks": {
65+
"summary": {
66+
"DISABLED": 0,
67+
"FAILED": 6,
68+
"PASSED": 4,
69+
"SKIPPED": 0,
70+
"UNKNOWN": 0
71+
},
72+
"results": [
73+
{
74+
"check_id": "mcn_build_as_code_1",
75+
"check_description": "The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.",
76+
"slsa_requirements": [
77+
"Build as code - SLSA Level 3"
78+
],
79+
"justification": [
80+
{
81+
"The target repository uses build tool npm to deploy": "https://github.com/onu-ui/onu-ui/blob/e3f2825c3940002a920d65476116a64684b3d95e/.github/workflows/release.yml",
82+
"The build is triggered by": "https://github.com/onu-ui/onu-ui/blob/e3f2825c3940002a920d65476116a64684b3d95e/.github/workflows/release.yml"
83+
},
84+
"Deploy command: ['pnpm', '-r', 'publish', '--access', 'public', '--no-git-checks']",
85+
"However, could not find a passing workflow run.",
86+
"The target repository does not use yarn to deploy."
87+
],
88+
"result_type": "PASSED"
89+
},
90+
{
91+
"check_id": "mcn_build_script_1",
92+
"check_description": "Check if the target repo has a valid build script.",
93+
"slsa_requirements": [
94+
"Scripted Build - SLSA Level 1"
95+
],
96+
"justification": [
97+
"Check mcn_build_script_1 is set to PASSED because mcn_build_service_1 PASSED."
98+
],
99+
"result_type": "PASSED"
100+
},
101+
{
102+
"check_id": "mcn_build_service_1",
103+
"check_description": "Check if the target repo has a valid build service.",
104+
"slsa_requirements": [
105+
"Build service - SLSA Level 2"
106+
],
107+
"justification": [
108+
"Check mcn_build_service_1 is set to PASSED because mcn_build_as_code_1 PASSED."
109+
],
110+
"result_type": "PASSED"
111+
},
112+
{
113+
"check_id": "mcn_version_control_system_1",
114+
"check_description": "Check whether the target repo uses a version control system.",
115+
"slsa_requirements": [
116+
"Version controlled - SLSA Level 2"
117+
],
118+
"justification": [
119+
{
120+
"This is a Git repository": "https://github.com/onu-ui/onu-ui"
121+
}
122+
],
123+
"result_type": "PASSED"
124+
},
125+
{
126+
"check_id": "mcn_infer_artifact_pipeline_1",
127+
"check_description": "Detects potential pipelines from which an artifact is published.",
128+
"slsa_requirements": [
129+
"Build as code - SLSA Level 3"
130+
],
131+
"justification": [
132+
"Unable to find a publishing timestamp for the artifact."
133+
],
134+
"result_type": "FAILED"
135+
},
136+
{
137+
"check_id": "mcn_provenance_available_1",
138+
"check_description": "Check whether the target has intoto provenance.",
139+
"slsa_requirements": [
140+
"Provenance - Available - SLSA Level 1",
141+
"Provenance content - Identifies build instructions - SLSA Level 1",
142+
"Provenance content - Identifies artifacts - SLSA Level 1",
143+
"Provenance content - Identifies builder - SLSA Level 1"
144+
],
145+
"justification": [
146+
"Could not find any SLSA or Witness provenances."
147+
],
148+
"result_type": "FAILED"
149+
},
150+
{
151+
"check_id": "mcn_provenance_expectation_1",
152+
"check_description": "Check whether the SLSA provenance for the produced artifact conforms to the expected value.",
153+
"slsa_requirements": [
154+
"Provenance conforms with expectations - SLSA Level 3"
155+
],
156+
"justification": [
157+
"Check mcn_provenance_expectation_1 is set to FAILED because mcn_provenance_available_1 FAILED."
158+
],
159+
"result_type": "FAILED"
160+
},
161+
{
162+
"check_id": "mcn_provenance_level_three_1",
163+
"check_description": "Check whether the target has SLSA provenance level 3.",
164+
"slsa_requirements": [
165+
"Provenance - Non falsifiable - SLSA Level 3",
166+
"Provenance content - Includes all build parameters - SLSA Level 3",
167+
"Provenance content - Identifies entry point - SLSA Level 3",
168+
"Provenance content - Identifies source code - SLSA Level 2"
169+
],
170+
"justification": [
171+
"Check mcn_provenance_level_three_1 is set to FAILED because mcn_provenance_available_1 FAILED."
172+
],
173+
"result_type": "FAILED"
174+
},
175+
{
176+
"check_id": "mcn_provenance_witness_level_one_1",
177+
"check_description": "Check whether the target has a level-1 witness provenance.",
178+
"slsa_requirements": [
179+
"Provenance - Available - SLSA Level 1",
180+
"Provenance content - Identifies build instructions - SLSA Level 1",
181+
"Provenance content - Identifies artifacts - SLSA Level 1",
182+
"Provenance content - Identifies builder - SLSA Level 1"
183+
],
184+
"justification": [
185+
"Check mcn_provenance_witness_level_one_1 is set to FAILED because mcn_provenance_available_1 FAILED."
186+
],
187+
"result_type": "FAILED"
188+
},
189+
{
190+
"check_id": "mcn_trusted_builder_level_three_1",
191+
"check_description": "Check whether the target uses a trusted SLSA level 3 builder.",
192+
"slsa_requirements": [
193+
"Hermetic - SLSA Level 4",
194+
"Isolated - SLSA Level 3",
195+
"Parameterless - SLSA Level 4",
196+
"Ephemeral environment - SLSA Level 3"
197+
],
198+
"justification": [
199+
"Could not find a trusted level 3 builder as a GitHub Actions workflow."
200+
],
201+
"result_type": "FAILED"
202+
}
203+
]
204+
}
205+
},
206+
"dependencies": {
207+
"analyzed_deps": 0,
208+
"unique_dep_repos": 0,
209+
"checks_summary": [
210+
{
211+
"check_id": "mcn_infer_artifact_pipeline_1",
212+
"num_deps_pass": 0
213+
},
214+
{
215+
"check_id": "mcn_build_script_1",
216+
"num_deps_pass": 0
217+
},
218+
{
219+
"check_id": "mcn_version_control_system_1",
220+
"num_deps_pass": 0
221+
},
222+
{
223+
"check_id": "mcn_build_service_1",
224+
"num_deps_pass": 0
225+
},
226+
{
227+
"check_id": "mcn_trusted_builder_level_three_1",
228+
"num_deps_pass": 0
229+
},
230+
{
231+
"check_id": "mcn_provenance_witness_level_one_1",
232+
"num_deps_pass": 0
233+
},
234+
{
235+
"check_id": "mcn_provenance_available_1",
236+
"num_deps_pass": 0
237+
},
238+
{
239+
"check_id": "mcn_build_as_code_1",
240+
"num_deps_pass": 0
241+
},
242+
{
243+
"check_id": "mcn_provenance_level_three_1",
244+
"num_deps_pass": 0
245+
},
246+
{
247+
"check_id": "mcn_provenance_expectation_1",
248+
"num_deps_pass": 0
249+
}
250+
],
251+
"dep_status": []
252+
}
253+
}

0 commit comments

Comments
 (0)