oracle · behnazh-w · Sep 14, 2023 · Sep 8, 2023 · Sep 8, 2023 · Sep 12, 2023
@@ -52,7 +52,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         fetch-depth: 0
 
@@ -129,7 +129,7 @@ jobs:
     # Currently reusable workflows do not support setting strategy property from the caller workflow.
     - name: Upload the package artifact for debugging and release
       if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: artifact-${{ matrix.os }}-python-${{ matrix.python }}
         path: dist

@@ -27,7 +27,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         fetch-depth: 0
 

@@ -30,7 +30,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         fetch-depth: 0
 

@@ -36,7 +36,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         fetch-depth: 0
         token: ${{ secrets.REPO_ACCESS_TOKEN }}

@@ -19,7 +19,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         fetch-depth: 0
 

@@ -37,7 +37,7 @@ jobs:
     steps:
 
     - name: Checkout repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
 
     - name: Set up Python
       uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0

@@ -25,7 +25,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         fetch-depth: 0
 

@@ -39,7 +39,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         fetch-depth: 0
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
@@ -115,7 +115,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         fetch-depth: 0
 
@@ -305,7 +305,7 @@ jobs:
   #   steps:
 
   #   - name: Check out repository
-  #     uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+  #     uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
   #     with:
   #       fetch-depth: 0
 

@@ -29,7 +29,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         persist-credentials: false
 
@@ -49,7 +49,7 @@ jobs:
 
     # Upload the results as artifacts (optional).
     - name: Upload artifact
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: SARIF file
         path: results.sarif

@@ -225,19 +225,12 @@ requirements.txt: pyproject.toml
 # editable mode (like the one in development here) because they may not have
 # a PyPI entry; also print out CVE description and potential fixes if audit
 # found an issue.
-# TODO: do not ignore CVE-2023-40590 once the patch is out.
-# This CVE does not affect Macaron because we do not support Windows systems.
-# See: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4
-# TODO: do not ignore CVE-2023-41040 once the patch is out.
-# Macaron is not affected by this CVE because it does not call the problematic functions like `commit`
-# and sanitizes arguments before calling GitPython APIs.
-# See: https://osv.dev/vulnerability/GHSA-cwvm-v4w8-q58c
 .PHONY: audit
 audit:
 	if ! $$(python -c "import pip_audit" &> /dev/null); then \
 	  echo "No package pip_audit installed, upgrade your environment!" && exit 1; \
 	fi;
-	python -m pip_audit --skip-editable --desc on --fix --dry-run --ignore-vuln CVE-2023-40590 --ignore-vuln CVE-2023-41040
+	python -m pip_audit --skip-editable --desc on --fix --dry-run
 
 # Run some or all checks over the package code base.
 .PHONY: check check-code check-bandit check-flake8 check-lint check-mypy check-go check-actionlint

@@ -9,6 +9,7 @@
 
 .. References/links
 .. _Witness: https://github.com/testifysec/witness
+.. _SLSA: https://slsa.dev
 
 =====================
 Macaron documentation
@@ -40,6 +41,8 @@ To start with Macaron, see the :doc:`Installation </pages/installation>` and :do
 
 For all services and technologies that Macaron supports, see the :doc:`Supported Technologies </pages/supported_technologies/index>` page.
 
+.. _checks:
+
 -------------------------
 Current checks in Macaron
 -------------------------
@@ -61,7 +64,7 @@ the requirements that are currently supported by Macaron.
      - Identify and validate build script(s).
    * - 1
      - **Provenance available** - Provenances are available.
-     - Check for existence of provenances, which can be SLSA or `Witness`_ provenances. If there is no provenance, the repo can still be compliant to level 1 given the build script is available.
+     - Check for existence of provenances, which can be `SLSA`_ or `Witness`_ provenances. If there is no provenance, the repo can still be compliant to level 1 given the build script is available.
    * - 1
      - **Witness provenance** - One or more `Witness`_ provenances are discovered.
      - Check for existence of `Witness`_ provenances, and whether artifact digests match those in the provenances.
@@ -74,6 +77,9 @@ the requirements that are currently supported by Macaron.
    * - 3
      - **Build as code** - If a trusted builder is not present, this requirement determines that the build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.
      - Identify and validate the CI service(s) used to build and deploy/publish an artifact.
+   * - 3
+     - **Infer artifact publish pipeline** - When a provenance is not available, checks whether a CI workflow run has automatically published the artifact.
+     - Identify a workflow run that has triggered the deploy step determined by the ``Build as code`` check.
    * - 3
      - **Provenance Level three** - Check whether the target has SLSA provenance level 3.
      - Use the `slsa-verifier <https://github.com/slsa-framework/slsa-verifier>`_ to attest to the subjects in the SLSA provenance that accompanies an artifact.
@@ -103,7 +109,8 @@ intermediate representations as abstractions. Using such abstractions, Macaron i
 
    pages/installation
    pages/using
-   pages/output_files
    pages/cli_usage/index
+   pages/tutorials/index
+   pages/output_files
    pages/supported_technologies/index
    pages/developers_guide/index
@@ -49,6 +49,14 @@ macaron.slsa\_analyzer.checks.check\_result module
    :undoc-members:
    :show-inheritance:
 
+macaron.slsa\_analyzer.checks.infer\_artifact\_pipeline\_check module
+---------------------------------------------------------------------
+
+.. automodule:: macaron.slsa_analyzer.checks.infer_artifact_pipeline_check
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
 macaron.slsa\_analyzer.checks.provenance\_available\_check module
 -----------------------------------------------------------------
 

@@ -17,6 +17,14 @@ macaron.slsa\_analyzer.package\_registry.jfrog\_maven\_registry module
    :undoc-members:
    :show-inheritance:
 
+macaron.slsa\_analyzer.package\_registry.maven\_central\_registry module
+------------------------------------------------------------------------
+
+.. automodule:: macaron.slsa_analyzer.package_registry.maven_central_registry
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
 macaron.slsa\_analyzer.package\_registry.package\_registry module
 -----------------------------------------------------------------
 

@@ -41,6 +41,9 @@ Package Registries
    * - `JFrog Artifactory <https://jfrog.com/artifactory>`_
      - Only projects built with Gradle and publishing to a JFrog Artifactory repo following `Maven layout <https://maven.apache.org/repository/layout.html>`_
      - :doc:`page </pages/supported_technologies/jfrog>`
+   * - `Maven Central Artifactory <https://central.sonatype.com>`_
+     - Only projects built with Gradle or Maven and published to the Maven Central Artifactory.
+     - :doc:`page </pages/supported_technologies/maven_central>`
 
 -----------
 Provenances
@@ -70,3 +73,4 @@ See also
 
    jfrog
    witness
+   maven_central
@@ -0,0 +1,6 @@
+.. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+=============
+Maven Central
+=============