Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: verify whether the reported repository can be linked back to the artifact #873

Merged

Conversation

mabdollahpour-ol
Copy link
Contributor

@mabdollahpour-ol mabdollahpour-ol commented Sep 29, 2024

This version has initial support for maven and gradle build tools.

The core part is added under repo_verifier directory. analyzer calls the repo_verifier and adds the info to dynamic_data.

Also added a sample check (for maven) that shows how this data can be used.

@mabdollahpour-ol mabdollahpour-ol self-assigned this Sep 29, 2024
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Sep 29, 2024
@behnazh-w behnazh-w requested a review from benmss September 30, 2024 01:33
@behnazh-w
Copy link
Member

The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data". I added a sample check (for maven) that shows how this data can be used.

Can you please add this information to the PR description?

@mabdollahpour-ol
Copy link
Contributor Author

@behnazh-w thanks for the comments! I'll apply the changes by EOD.

src/macaron/repo_finder/repo_verifier.py Outdated Show resolved Hide resolved
src/macaron/repo_finder/repo_verifier.py Outdated Show resolved Hide resolved
@benmss
Copy link
Member

benmss commented Oct 1, 2024

Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w

@behnazh-w
Copy link
Member

Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w

Yes for sure. The PR needs unit tests and integration tests.

@mabdollahpour-ol
Copy link
Contributor Author

Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w

Yes for sure. The PR needs unit tests and integration tests.

Yes tests are on the way.

@mabdollahpour-ol mabdollahpour-ol force-pushed the repository-verification branch from 89645cd to a2cba60 Compare October 2, 2024 17:20
@mabdollahpour-ol mabdollahpour-ol changed the title feat: Verify whether the claimed repository can be linked back to the artifact feat: verify whether the claimed repository can be linked back to the artifact Oct 2, 2024
@mabdollahpour-ol mabdollahpour-ol changed the title feat: verify whether the claimed repository can be linked back to the artifact feat: verify whether the reported repository can be linked back to the artifact Oct 2, 2024
@mabdollahpour-ol mabdollahpour-ol force-pushed the repository-verification branch from a2cba60 to c0cce14 Compare October 7, 2024 22:14
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Copy link
Member

@benmss benmss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

Signed-off-by: Mohammad Abdollahpour <[email protected]>
@mabdollahpour-ol mabdollahpour-ol merged commit 3854a85 into oracle:staging Oct 28, 2024
8 checks passed
@behnazh-w
Copy link
Member

The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data". I added a sample check (for maven) that shows how this data can be used.

Can you please add this information to the PR description?

Looks like you forgot to change the PR description. Could you please fix that?

@behnazh-w
Copy link
Member

behnazh-w commented Oct 29, 2024

Please add the new check to the check table in the documentation at docs/source/index.rst.

@behnazh-w
Copy link
Member

Please run make docs-full to generate the RST templates for the new modules on the documentation website.

logger: logging.Logger = logging.getLogger(__name__)


class MavenRepoVerificationFacts(CheckFacts):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check should not be specific to Maven. Please clarify in the documentation that it currently supports only Maven, but avoid including Maven/maven in the names of the module, fact table, and check. In the implementation, you can verify that the artifact type is Maven and report UNKNOWN for all other ecosystems.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where would be a good place to mention that it only supports Maven packages at this moment? The description field is the most visible one for the end users but technically under returns section of the docstring for run_check would be the proper place. What do you think? @behnazh-w

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can mention in in both places.

Comment on lines +31 to +33
group: Mapped[str] = mapped_column(String, nullable=False)
artifact: Mapped[str] = mapped_column(String, nullable=False)
version: Mapped[str] = mapped_column(String, nullable=False)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any particular reason for adding these columns? We can obtain them from the component table too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really, just for the ease of analysis. I can remove them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, specifically if we don't want it to be Maven-specific, they shouldn't be there.

version: Mapped[str] = mapped_column(String, nullable=False)

# Repository link identified by Macaron's repo finder.
repo_link: Mapped[str] = mapped_column(String, nullable=True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to make these visible in the HTML report. You just need to add the following property to the mapped_column.

Suggested change
repo_link: Mapped[str] = mapped_column(String, nullable=True)
repo_link: Mapped[str] = mapped_column(String, nullable=True, info={"justification": JustificationType.HREF})

repo_link: Mapped[str] = mapped_column(String, nullable=True)

# Repository link identified by deps.dev.
deps_dev_repo_link: Mapped[str | None] = mapped_column(String, nullable=True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
deps_dev_repo_link: Mapped[str | None] = mapped_column(String, nullable=True)
deps_dev_repo_link: Mapped[str | None] = mapped_column(String, nullable=True), info={"justification": JustificationType.HREF}

artifact: Mapped[str] = mapped_column(String, nullable=False)
version: Mapped[str] = mapped_column(String, nullable=False)

# Repository link identified by Macaron's repo finder.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comments should be in #: format to ensure the docstring renders correctly.

This comment applies for all the properties.

deps_dev_repo_link: Mapped[str | None] = mapped_column(String, nullable=True)

# Number of stars on the repository identified by deps.dev.
deps_dev_stars_count: Mapped[int | None] = mapped_column(Integer, nullable=True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This property should be rendered as TEXT so, it's slightly different:

Suggested change
deps_dev_stars_count: Mapped[int | None] = mapped_column(Integer, nullable=True)
deps_dev_stars_count: Mapped[int | None] = mapped_column(Integer, nullable=True, info={"justification": JustificationType.TEXT})

deps_dev_stars_count: Mapped[int | None] = mapped_column(Integer, nullable=True)

# Number of forks on the repository identified by deps.dev.
deps_dev_fork_count: Mapped[int | None] = mapped_column(Integer, nullable=True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above regarding adding info={"justification": JustificationType.TEXT}.

deps_dev_fork_count: Mapped[int | None] = mapped_column(Integer, nullable=True)

# The status of the check: passed, failed, or unknown.
status: Mapped[str] = mapped_column(String, nullable=False)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above regarding adding info={"justification": JustificationType.TEXT}.

status: Mapped[str] = mapped_column(String, nullable=False)

# The reason for the status.
reason: Mapped[str] = mapped_column(String, nullable=False)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above regarding adding info={"justification": JustificationType.TEXT}.

reason: Mapped[str] = mapped_column(String, nullable=False)

# The build tool used to build the package.
build_tool: Mapped[str] = mapped_column(String, nullable=False)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above regarding adding info={"justification": JustificationType.TEXT}.

@mabdollahpour-ol
Copy link
Contributor Author

mabdollahpour-ol commented Oct 30, 2024

The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data". I added a sample check (for maven) that shows how this data can be used.

Can you please add this information to the PR description?

Looks like you forgot to change the PR description. Could you please fix that?

I moved repo_verifier to its own directory. I changed the PR description (the first comment in this page if that's what you mean) to reflect the change. I didn't add this info the body of the squashed commit but I will in the next merge. Does that sound good?

@mabdollahpour-ol mabdollahpour-ol deleted the repository-verification branch October 30, 2024 02:32
@mabdollahpour-ol
Copy link
Contributor Author

Please add the new check to the check table in the documentation at docs/source/index.rst.

The SLSA requirement is "Source - Version controlled", right?

@behnazh-w
Copy link
Member

behnazh-w commented Oct 30, 2024

Please add the new check to the check table in the documentation at docs/source/index.rst.

The SLSA requirement is "Source - Version controlled", right?

I've added my suggestion to the PR. This check is related to Source - Version controlled, but it also includes a validation aspect. Generally, while the SLSA requirement column may not use the exact terminology from slsa.dev, there is a relationship.

art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants