feat: verify whether the reported repository can be linked back to the artifact #873

mabdollahpour-ol · 2024-09-29T00:17:51Z

This version has initial support for maven and gradle build tools.

The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data".
Also added a sample check (for maven) that shows how this data can be used.

mabdollahpour-ol · 2024-09-29T00:24:00Z

The core part is added as "repo_verifier" under "repo_finder".
"analyzer" calls the "repo_verifier" and adds the info to "dynamic_data".
I added a sample check (for maven) that shows how this data can be used.

src/macaron/repo_finder/repo_finder_java.py

behnazh-w · 2024-09-30T01:44:07Z

The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data". I added a sample check (for maven) that shows how this data can be used.

Can you please add this information to the PR description?

mabdollahpour-ol · 2024-09-30T20:24:34Z

@behnazh-w thanks for the comments! I'll apply the changes by EOD.

src/macaron/repo_finder/repo_verifier.py

behnazh-w · 2024-09-30T23:22:01Z

src/macaron/repo_finder/repo_verifier.py

+        return True
+
+    @staticmethod
+    def _bfs_walk(root_dir: Path, filename: str) -> Path | None:


You can probably use the get_build_dirs function in build tools. You might just need to improve it to avoid looking into the ["test", "example", "sample", "doc", "demo", "spec", "mock"] directories as implemented in this function.

Interesting. Yes, I that's the correct funciton to be used here. Thanks!

I decided to keep this for now (with another name find_file_in_repo under repo_verifier_base) because the amount of refactoring needed to make use of those functions for this purpose seems to be quite high.

OK, no worries. Can you please add a TODO comment to refactor and use get_build_dirs later?

src/macaron/repo_finder/repo_finder_java.py

src/macaron/repo_finder/repo_verifier.py

src/macaron/slsa_analyzer/analyzer.py

src/macaron/slsa_analyzer/checks/maven_repo_verification_check.py

benmss · 2024-10-01T04:41:31Z

Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w

behnazh-w · 2024-10-01T05:18:25Z

Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w

Yes for sure. The PR needs unit tests and integration tests.

mabdollahpour-ol · 2024-10-01T20:41:41Z

Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w

Yes for sure. The PR needs unit tests and integration tests.

Yes tests are on the way.

src/macaron/repo_finder/repo_verifier.py

src/macaron/artifact/maven.py

… artifact Signed-off-by: Mohammad Abdollahpour <[email protected]>

Signed-off-by: Mohammad Abdollahpour <[email protected]>

…ctions Signed-off-by: Mohammad Abdollahpour <[email protected]>

Signed-off-by: Mohammad Abdollahpour <[email protected]>

mabdollahpour-ol self-assigned this Sep 29, 2024

mabdollahpour-ol requested review from behnazh-w and tromai as code owners September 29, 2024 00:17

oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Sep 29, 2024

behnazh-w requested a review from benmss September 30, 2024 01:33

behnazh-w reviewed Sep 30, 2024

View reviewed changes

src/macaron/repo_finder/repo_finder_java.py Outdated Show resolved Hide resolved

src/macaron/repo_finder/repo_finder_java.py Outdated Show resolved Hide resolved

behnazh-w reviewed Sep 30, 2024

View reviewed changes

src/macaron/repo_finder/repo_verifier.py Outdated Show resolved Hide resolved

src/macaron/repo_finder/repo_verifier.py Outdated Show resolved Hide resolved

behnazh-w reviewed Sep 30, 2024

View reviewed changes