generated from oracle/template-repo
-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add support for JFrog Artifactory and witness provenances produced on GitLab CI #349
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oracle-contributor-agreement
bot
added
the
OCA Verified
All contributors have signed the Oracle Contributor Agreement.
label
Jun 29, 2023
nathanwn
changed the title
feat: add support for JFrog Maven artifactory
feat: add support for JFrog Maven package registry
Jun 29, 2023
nathanwn
force-pushed
the
jfrog-maven
branch
2 times, most recently
from
June 29, 2023 00:48
95e3282
to
3be6cce
Compare
nathanwn
changed the title
feat: add support for JFrog Maven package registry
feat: add support for JFrog Maven package registry and witness provenance
Jul 7, 2023
nathanwn
changed the title
feat: add support for JFrog Maven package registry and witness provenance
feat: add support for JFrog Maven package registry and witness provenances
Jul 7, 2023
nathanwn
added
checks
The issues related to Macaron checks
package_registries
The issues related to package registries
labels
Jul 7, 2023
nathanwn
force-pushed
the
jfrog-maven
branch
2 times, most recently
from
July 8, 2023 12:02
1643f0e
to
b3dff61
Compare
behnazh-w
reviewed
Jul 10, 2023
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py
Outdated
Show resolved
Hide resolved
tromai
reviewed
Jul 11, 2023
tromai
reviewed
Jul 11, 2023
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py
Outdated
Show resolved
Hide resolved
tromai
reviewed
Jul 11, 2023
tromai
reviewed
Jul 11, 2023
nicallen
reviewed
Jul 11, 2023
behnazh-w
reviewed
Jul 11, 2023
src/macaron/slsa_analyzer/checks/provenance_witness_l1_check.py
Outdated
Show resolved
Hide resolved
behnazh-w
reviewed
Jul 11, 2023
nathanwn
force-pushed
the
jfrog-maven
branch
3 times, most recently
from
July 27, 2023 05:37
4a38a8e
to
ad8528f
Compare
nathanwn
commented
Jul 27, 2023
Signed-off-by: Nathan Nguyen <[email protected]>
…e component Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
… CI service assets Signed-off-by: Nathan Nguyen <[email protected]>
nathanwn
commented
Aug 10, 2023
tromai
approved these changes
Aug 10, 2023
behnazh-w
reviewed
Aug 14, 2023
src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py
Outdated
Show resolved
Hide resolved
tests/e2e/expected_results/slsa-verifier/slsa-verifier_cue_PASS.json
Outdated
Show resolved
Hide resolved
Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
…_url function Signed-off-by: Nathan Nguyen <[email protected]>
…ss provenance discovered Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
nicallen
reviewed
Aug 22, 2023
src/macaron/slsa_analyzer/checks/provenance_witness_l1_check.py
Outdated
Show resolved
Hide resolved
behnazh-w
reviewed
Aug 22, 2023
Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
…on package for payload validation Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
nicallen
approved these changes
Aug 22, 2023
Signed-off-by: Nathan Nguyen <[email protected]>
Signed-off-by: Nathan Nguyen <[email protected]>
nathanwn
changed the title
feat: add support for JFrog Maven package registry and witness provenances
feat: add support for JFrog Artifactory and Witness provenances
Aug 22, 2023
behnazh-w
approved these changes
Aug 22, 2023
nathanwn
changed the title
feat: add support for JFrog Artifactory and Witness provenances
feat: add support for JFrog Artifactory and witness provenances produced on GitLab CI
Aug 22, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
checks
The issues related to Macaron checks
OCA Verified
All contributors have signed the Oracle Contributor Agreement.
package_registries
The issues related to package registries
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds the following features to Macaron:
Note that these will only work for repositories built with Gradle for now. Support for Maven will be added later.
JFrog Maven package registry
A JFrog Maven package registry is a JFrog Artifactory instance that acts as a Maven repository. In SLSA terms, we call it a JFrog Maven package registry from here on out.
We are making the assumption that artifacts and provenances can be hosted on a JFrog Maven package registry. This pull request allows Macaron to discover artifacts and provenances on such a registry for analysis.
Another assumption is that an artifact and a corresponding provenance are hosted next to each other on the JFrog Maven package registry, i.e. if the artifact is hosted at
https://some/url/of/groupid/artifactid/version/*.jar
, then the corresponding provenance is hosted athttps://some/url/of/groupid/artifactid/version/*.intoto.jsonl
.For Macaron to be aware of a JFrog Maven package registry, the user needs to provide the following section in the
.ini
config file:For Macaron to recognize a repository to possibly publish artifacts onto some JFrog Maven package registry, the repository must have Gradle as its build tool. Support for other build tools such as Maven will be added later.
The
mcn_provenance_witness_level_one_1
checkThis new
mcn_provenance_witness_level_one_1
check is added as a witness-specific replacement formcn_provenance_level_three_1
, which currently only supports SLSA provenances generated byslsa-github-generator
.In this PR, this check only verifies that the digest of each jar file could be found somewhere in the corresponding witness provenance.
For this check to be effective, the following section must be provided in the
.ini
config:The following diagram shows a brief summary of the check's logical flow.