Skip to content

feat: use provenance to find commits for supported PURL types. #653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 25 commits into from
Mar 22, 2024

Conversation

benmss
Copy link
Member

@benmss benmss commented Feb 29, 2024

This PR uses provenance files to find commits and repositories for analysis targets.

Provenance can be discovered as followed:

  • In a user defined JFrog repository, for Gradle and Maven targets.
  • From npm, for npm libraries built with provenance.
  • From the user, if provided as a CLI parameter.

The supported provenance types are SLSA v0.1, v0.2, and v1, Witness v0.1. Supported payloads are in-toto v0.1 and v1.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Feb 29, 2024
@benmss benmss force-pushed the provenance-commits-refactor branch from 769ff22 to cbf3549 Compare March 5, 2024 03:10
@benmss benmss marked this pull request as ready for review March 5, 2024 06:46
@benmss benmss requested review from behnazh-w and tromai as code owners March 5, 2024 06:46
Copy link
Member

@tromai tromai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have finished my first round of review. Thanks for the changes.

benmss added 24 commits March 22, 2024 13:50
…ated list.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…d debug output for provenance extractor success

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…pe(x)); use default JFrog registry; only pass real values to JFrog fetch function; rename digest function to digest_set; copy intoto algorithms to v01, and add as input to _extract_commit_from_digest_set function; make provenance_extractor raise exceptions instead of returning empty tuples, and refactor accordingly; add gitCommit digest set type to v1 algorithms.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…nt property from java repo finder; handle case where npm API returns no version; improve provenance extractor tests.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…efactor provenance extractor tests; assume one provenance per GAV in provenance finder; make npn registry namespace consistent.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
… json_extract function.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…tractor tests.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…ceptance list.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
…script.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss force-pushed the provenance-commits-refactor branch from efa204b to 2e46789 Compare March 22, 2024 04:16
@benmss benmss merged commit 28131cd into staging Mar 22, 2024
@tromai tromai deleted the provenance-commits-refactor branch March 22, 2024 06:53
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
This PR allows for the extraction of repository URLs and related commits from provenance files. Supported provenance includes SLSA v0.1, 0.2, and 1, as well as Witness v0.1. This feature takes effect when a user supplies a provenance as input to the analysis, or when one can be retrieved from npm or a configured JFrog repository, as applicable.

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants