Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: create a new release #476

Merged
merged 14 commits into from
Sep 14, 2023
Merged

chore: create a new release #476

merged 14 commits into from
Sep 14, 2023

Conversation

behnazh-w
Copy link
Member

No description provided.

timyarkov and others added 14 commits September 8, 2023 10:38
@timyarkov
feat: add docker build detection (#409)
d15fffb 
This PR adds support for the detection of Dockerfiles, so as to cover scenarios where Docker gets used as a build tool.

* Docker presence is detected by finding files either named Dockerfile or in the formats *.Dockerfile or Dockerfile.* to cover different naming conventions of dockerfiles, e.g. dev.Dockerfile or like Macaron's own Dockerfile.base and Dockerfile.final. This is defined in defaults.ini under [builder.docker]

* The supported build command keyword is build, and supported deploy command keyword is push, defined in defaults.ini under [builder.docker]

*For CI deploy commands the GitHub action docker/build-push-action is supported, defined in defaults.ini under [builder.docker.ci.deploy]

Signed-off-by: Tim Yarkov <[email protected]>
@nathanwn
fix: fix run_macaron.sh script to handle action arguments correctly (
40c2faf 
…#461)

Signed-off-by: Nathan Nguyen <[email protected]>
@behnazh-w
fix: encode PURL qualifiers as a normalized string (#466)
4282c6c 
This PR sets `encode=True` to encode qualifiers of a PURL string as a normalized string while converting it to a dictionary and storing it to the SQLite database because SQLite doesn't support dict type.

It also adds exception handling for deserializing a PURL string while initializing a Component instance.

Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
fix: check if repository is available in provenance available check (#…
fae998b 
…467)

If a repository is not available for an artifact/analysis target identified by a PURL string, the `mcn_provenance_available_1` check throws an exception.

This PR fixes this bug by checking if the repository is available before running the check.

Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
ci(integration-tests): update expected results for micronaut-core (#472)
56912f2 
The micronaut-core release is generating provenances again and our provenance checks 
pass now. This PR updates the expected result for micronaut-core.

Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
fix(policy-engine): use component_id instead of repo_id in policy to …
b54690f 
…find the check result (#473)

This PR fixes the following bug in the policy engine:

Bug description: the policy test failed to apply the policy because it was using the `repo_id` instead the 
`component_id`, and the related check result could not be found by the policy engine.

Signed-off-by: behnazh-w <[email protected]>
@dependabot
chore(deps-dev): update hypothesis requirement from <6.82.7,>=6.21.0 …
ea29128 
…to >=6.21.0,<6.84.4 (#470)
@dependabot
chore(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 (#469)
b0d2c31
@dependabot
chore(deps): bump actions/checkout from 3.5.3 to 4.0.0 (#468)
d925141
@dependabot
chore(deps-dev): update pre-commit requirement from <3.4.0,>=3.0.0 to…
78a5e50 
… >=3.0.0,<3.5.0 (#462)
@behnazh-w
chore(deps): remove CVE-2023-40590 and CVE-2023-41040 from the ignore…
5815139 
… list (#459)

GitPython 3.1.35 fixes CVE-2023-40590 and CVE-2023-41040. This PR removes these CVEs 
from the pip-audit ignore list.

See https://github.com/gitpython-developers/GitPython/releases/tag/3.1.35

Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
feat: add a new check to map artifacts to pipelines (#471)
13206e5 
This PR adds a new check, `mcn_infer_artifact_pipeline_1` to detect a 
potential pipeline from which an artifact is published.

When a verifiable provenance is found for an artifact, the result of this 
check can be discarded. Otherwise, we check whether a CI workflow 
run has automatically published the artifact.

This check supports Maven artifacts built using Gradle or Maven and 
published on Maven Central only. Support for other registries and ecosystems will be added in the future.

Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
chore: handle request exceptions in send_get_http_raw (#475)
1f5ed10 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
docs: add a tutorial for finding malicious artifact uploads (#474)
5e9dced 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w behnazh-w requested a review from tromai as a code owner September 14, 2023 05:01
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Sep 14, 2023
@behnazh-w behnazh-w merged commit 5e9dced into main Sep 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tromai tromai tromai approved these changes

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@behnazh-w @tromai @timyarkov @nathanwn