-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: verify whether the reported repository can be linked back to the artifact #873
base: staging
Are you sure you want to change the base?
feat: verify whether the reported repository can be linked back to the artifact #873
Conversation
The core part is added as "repo_verifier" under "repo_finder". |
Can you please add this information to the PR description? |
@behnazh-w thanks for the comments! I'll apply the changes by EOD. |
return True | ||
|
||
@staticmethod | ||
def _bfs_walk(root_dir: Path, filename: str) -> Path | None: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can probably use the get_build_dirs
function in build tools. You might just need to improve it to avoid looking into the ["test", "example", "sample", "doc", "demo", "spec", "mock"]
directories as implemented in this function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting. Yes, I that's the correct funciton to be used here. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I decided to keep this for now (with another name find_file_in_repo
under repo_verifier_base
) because the amount of refactoring needed to make use of those functions for this purpose seems to be quite high.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, no worries. Can you please add a TODO comment to refactor and use get_build_dirs later?
src/macaron/slsa_analyzer/checks/maven_repo_verification_check.py
Outdated
Show resolved
Hide resolved
Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w |
Yes for sure. The PR needs unit tests and integration tests. |
Yes tests are on the way. |
89645cd
to
a2cba60
Compare
… artifact Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
…ctions Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
a2cba60
to
c0cce14
Compare
This version has initial support for maven and gradle build tools.
The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data".
Also added a sample check (for maven) that shows how this data can be used.