generated from oracle/template-repo
-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: accept provenance data in artifact pipeline check #872
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oracle-contributor-agreement
bot
added
the
OCA Verified
All contributors have signed the Oracle Contributor Agreement.
label
Sep 27, 2024
behnazh-w
force-pushed
the
behnazh/refactor-infer-publish-check
branch
5 times, most recently
from
October 2, 2024 09:47
ac6cbcd
to
7eac146
Compare
tromai
reviewed
Oct 6, 2024
src/macaron/slsa_analyzer/checks/infer_artifact_pipeline_check.py
Outdated
Show resolved
Hide resolved
behnazh-w
force-pushed
the
behnazh/refactor-infer-publish-check
branch
from
October 29, 2024 05:29
1586789
to
e592c5d
Compare
benmss
reviewed
Oct 31, 2024
benmss
reviewed
Nov 5, 2024
benmss
reviewed
Nov 5, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/github_actions_ci.py
Outdated
Show resolved
Hide resolved
benmss
reviewed
Nov 5, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/github_actions_ci.py
Outdated
Show resolved
Hide resolved
benmss
reviewed
Nov 5, 2024
benmss
reviewed
Nov 5, 2024
tests/integration/cases/micronaut-projects_micronaut-core/config.ini
Outdated
Show resolved
Hide resolved
behnazh-w
force-pushed
the
behnazh/refactor-infer-publish-check
branch
from
November 6, 2024 06:03
e592c5d
to
c9761dc
Compare
benmss
approved these changes
Nov 8, 2024
tromai
reviewed
Nov 10, 2024
tromai
reviewed
Nov 10, 2024
tromai
reviewed
Nov 11, 2024
tromai
reviewed
Nov 11, 2024
tromai
reviewed
Nov 11, 2024
tromai
reviewed
Nov 11, 2024
tromai
reviewed
Nov 11, 2024
tromai
reviewed
Nov 11, 2024
tromai
reviewed
Nov 12, 2024
tromai
reviewed
Nov 12, 2024
tromai
reviewed
Nov 12, 2024
tromai
reviewed
Nov 12, 2024
tromai
reviewed
Nov 12, 2024
tromai
reviewed
Nov 12, 2024
tromai
reviewed
Nov 12, 2024
tromai
reviewed
Nov 12, 2024
tromai
reviewed
Nov 13, 2024
tromai
reviewed
Nov 13, 2024
tromai
reviewed
Nov 13, 2024
tromai
reviewed
Nov 13, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/github_actions_ci.py
Outdated
Show resolved
Hide resolved
tromai
approved these changes
Nov 13, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have finished my review. Thanks.
Overall, there isn't any major changes needs. Most of my comments are for minor improvements/nit picking.
behnazh-w
force-pushed
the
behnazh/refactor-infer-publish-check
branch
from
November 15, 2024 07:14
678abb1
to
17f3453
Compare
Except from a small question in #872 (comment), my approval still holds. The PR could be merged as it. |
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
behnazh-w
force-pushed
the
behnazh/refactor-infer-publish-check
branch
from
November 18, 2024 22:58
17f3453
to
c097331
Compare
tromai
approved these changes
Nov 18, 2024
art1f1c3R
pushed a commit
that referenced
this pull request
Nov 29, 2024
This PR renames `mcn_infer_artifact_pipeline_1` to `mcn_find_artifact_pipeline_1`. This check can support all the package registries now. When a verifiable provenance is found for an artifact, we use it to obtain the pipeline trigger. Otherwise, we use heuristics to find the triggering pipeline. Signed-off-by: behnazh-w <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refactoring the artifact pipeline detection check
mcn_infer_artifact_pipeline_1
tomcn_find_artifact_pipeline_1
.nullable
. This change enables us to store the reasons for check failures, such as when a GitHub workflow run is deleted, which may result in some previous columns lacking values.mcn_build_as_code_1 check
. If a deploy command is detected, this check will attempt to locate a successful CI pipeline that triggered the step containing the deploy command.Improvements to
mcn_build_as_code_1
infer_confidence_deploy_workflow
is added toBaseBuildTool
to infer the confidence for such Reusable workflows.The
store_inferred_build_info_results
functionstore_inferred_provenance
tostore_inferred_build_info_results
.CIInfo["provenances"]
for inferred build command analysis results, we use a new field:CIInfo["build_info_results"]
.Provenance Extractor
ProvenanceBuildDefinition
andProvenancePredicate
. With these new abstractions, we don't need to hardcode the expectedbuildType
value while processing a provenance.find_publish_timestamp
Tutorial and integration tests
Detecting a malicious Java dependency uploaded manually to Maven Central
tutorial toDetecting Java dependencies manually uploaded to Maven Central
log4j-core
artifact instead ofguava
, which has an automated deployment workflow.log4j-core
.