generated from oracle/template-repo
-
Notifications
You must be signed in to change notification settings - Fork 28
feat: use provenance to find commits for supported PURL types. #653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
769ff22
to
cbf3549
Compare
nathanwn
reviewed
Mar 6, 2024
tromai
reviewed
Mar 7, 2024
tromai
reviewed
Mar 7, 2024
tromai
reviewed
Mar 7, 2024
nathanwn
reviewed
Mar 7, 2024
nathanwn
reviewed
Mar 7, 2024
tromai
reviewed
Mar 7, 2024
tromai
reviewed
Mar 7, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
reviewed
Mar 8, 2024
tromai
requested changes
Mar 8, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have finished my first round of review. Thanks for the changes.
tromai
reviewed
Mar 13, 2024
tromai
reviewed
Mar 13, 2024
…ated list. Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…d debug output for provenance extractor success Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…pe(x)); use default JFrog registry; only pass real values to JFrog fetch function; rename digest function to digest_set; copy intoto algorithms to v01, and add as input to _extract_commit_from_digest_set function; make provenance_extractor raise exceptions instead of returning empty tuples, and refactor accordingly; add gitCommit digest set type to v1 algorithms. Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…nt property from java repo finder; handle case where npm API returns no version; improve provenance extractor tests. Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…efactor provenance extractor tests; assume one provenance per GAV in provenance finder; make npn registry namespace consistent. Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
… json_extract function. Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…tractor tests. Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…ceptance list. Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…script. Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
efa204b
to
2e46789
Compare
behnazh-w
approved these changes
Mar 22, 2024
art1f1c3R
pushed a commit
that referenced
this pull request
Nov 29, 2024
This PR allows for the extraction of repository URLs and related commits from provenance files. Supported provenance includes SLSA v0.1, 0.2, and 1, as well as Witness v0.1. This feature takes effect when a user supplies a provenance as input to the analysis, or when one can be retrieved from npm or a configured JFrog repository, as applicable. Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR uses provenance files to find commits and repositories for analysis targets.
Provenance can be discovered as followed:
The supported provenance types are SLSA v0.1, v0.2, and v1, Witness v0.1. Supported payloads are in-toto v0.1 and v1.