feat: verify whether the reported repository can be linked back to the artifact #873
Conversation
oracle-contributor-agreement
bot
added
the
OCA Verified
Can you please add this information to the PR description? |
|
@behnazh-w thanks for the comments! I'll apply the changes by EOD. |
src/macaron/slsa_analyzer/checks/maven_repo_verification_check.py
Outdated
Show resolved
Hide resolved
|
Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w |
Yes for sure. The PR needs unit tests and integration tests. |
Yes tests are on the way. |
mabdollahpour-ol
force-pushed
the
repository-verification
branch
from
89645cd
to
a2cba60
Compare
mabdollahpour-ol
changed the title
mabdollahpour-ol
changed the title
mabdollahpour-ol
force-pushed
the
repository-verification
branch
from
a2cba60
to
c0cce14
Compare
… artifact Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
…ctions Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
mabdollahpour-ol
force-pushed
the
repository-verification
branch
from
c0cce14
to
3044d69
Compare
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Signed-off-by: Mohammad Abdollahpour <[email protected]>
Looks like you forgot to change the PR description. Could you please fix that? |
|
Please add the new check to the check table in the documentation at |
|
Please run |
| logger: logging.Logger = logging.getLogger(__name__) | ||
|
|
||
|
|
||
| class MavenRepoVerificationFacts(CheckFacts): |
There was a problem hiding this comment.
This check should not be specific to Maven. Please clarify in the documentation that it currently supports only Maven, but avoid including Maven/maven in the names of the module, fact table, and check. In the implementation, you can verify that the artifact type is Maven and report UNKNOWN for all other ecosystems.
There was a problem hiding this comment.
Where would be a good place to mention that it only supports Maven packages at this moment? The description field is the most visible one for the end users but technically under returns section of the docstring for run_check would be the proper place. What do you think? @behnazh-w
There was a problem hiding this comment.
We can mention in in both places.
| group: Mapped[str] = mapped_column(String, nullable=False) | ||
| artifact: Mapped[str] = mapped_column(String, nullable=False) | ||
| version: Mapped[str] = mapped_column(String, nullable=False) |
There was a problem hiding this comment.
Is there any particular reason for adding these columns? We can obtain them from the component table too.
There was a problem hiding this comment.
Not really, just for the ease of analysis. I can remove them.
There was a problem hiding this comment.
Yeah, specifically if we don't want it to be Maven-specific, they shouldn't be there.
| version: Mapped[str] = mapped_column(String, nullable=False) | ||
|
|
||
| # Repository link identified by Macaron's repo finder. | ||
| repo_link: Mapped[str] = mapped_column(String, nullable=True) |
There was a problem hiding this comment.
It would be good to make these visible in the HTML report. You just need to add the following property to the mapped_column.
| repo_link: Mapped[str] = mapped_column(String, nullable=True) | |
| repo_link: Mapped[str] = mapped_column(String, nullable=True, info={"justification": JustificationType.HREF}) |
| repo_link: Mapped[str] = mapped_column(String, nullable=True) | ||
|
|
||
| # Repository link identified by deps.dev. | ||
| deps_dev_repo_link: Mapped[str | None] = mapped_column(String, nullable=True) |
There was a problem hiding this comment.
| deps_dev_repo_link: Mapped[str | None] = mapped_column(String, nullable=True) | |
| deps_dev_repo_link: Mapped[str | None] = mapped_column(String, nullable=True), info={"justification": JustificationType.HREF} |
| artifact: Mapped[str] = mapped_column(String, nullable=False) | ||
| version: Mapped[str] = mapped_column(String, nullable=False) | ||
|
|
||
| # Repository link identified by Macaron's repo finder. |
There was a problem hiding this comment.
The comments should be in #: format to ensure the docstring renders correctly.
This comment applies for all the properties.
| deps_dev_repo_link: Mapped[str | None] = mapped_column(String, nullable=True) | ||
|
|
||
| # Number of stars on the repository identified by deps.dev. | ||
| deps_dev_stars_count: Mapped[int | None] = mapped_column(Integer, nullable=True) |
There was a problem hiding this comment.
This property should be rendered as TEXT so, it's slightly different:
| deps_dev_stars_count: Mapped[int | None] = mapped_column(Integer, nullable=True) | |
| deps_dev_stars_count: Mapped[int | None] = mapped_column(Integer, nullable=True, info={"justification": JustificationType.TEXT}) |
| deps_dev_stars_count: Mapped[int | None] = mapped_column(Integer, nullable=True) | ||
|
|
||
| # Number of forks on the repository identified by deps.dev. | ||
| deps_dev_fork_count: Mapped[int | None] = mapped_column(Integer, nullable=True) |
There was a problem hiding this comment.
Same comment as above regarding adding info={"justification": JustificationType.TEXT}.
| deps_dev_fork_count: Mapped[int | None] = mapped_column(Integer, nullable=True) | ||
|
|
||
| # The status of the check: passed, failed, or unknown. | ||
| status: Mapped[str] = mapped_column(String, nullable=False) |
There was a problem hiding this comment.
Same comment as above regarding adding info={"justification": JustificationType.TEXT}.
| status: Mapped[str] = mapped_column(String, nullable=False) | ||
|
|
||
| # The reason for the status. | ||
| reason: Mapped[str] = mapped_column(String, nullable=False) |
There was a problem hiding this comment.
Same comment as above regarding adding info={"justification": JustificationType.TEXT}.
| reason: Mapped[str] = mapped_column(String, nullable=False) | ||
|
|
||
| # The build tool used to build the package. | ||
| build_tool: Mapped[str] = mapped_column(String, nullable=False) |
There was a problem hiding this comment.
Same comment as above regarding adding info={"justification": JustificationType.TEXT}.
I moved |
The SLSA requirement is "Source - Version controlled", right? |
I've added my suggestion to the PR. This check is related to |
This version has initial support for maven and gradle build tools.
The core part is added under
repo_verifierdirectory.analyzercalls therepo_verifierand adds the info todynamic_data.Also added a sample check (for maven) that shows how this data can be used.