chore: rebase staging into add-python-as-a-supported-build-tool

Signed-off-by: sophie-bates <[email protected]>

Author: sophie-bates

Makefile

@@ -107,13 +107,13 @@ $(PACKAGE_PATH)/resources/mvnw:
 		&& cd $(REPO_PATH)
 $(PACKAGE_PATH)/resources/gradlew:
 	cd $(PACKAGE_PATH)/resources \
-	&& export GRADLE_VERSION=7.6 \
-	&& wget https://services.gradle.org/distributions/gradle-$$GRADLE_VERSION-bin.zip \
-	&& unzip -o gradle-$$GRADLE_VERSION-bin.zip \
-	&& rm -r gradle-$$GRADLE_VERSION-bin.zip \
-	&& gradle-$$GRADLE_VERSION/bin/gradle wrapper \
-	&& rm -rf gradle-$$GRADLE_VERSION \
-	&& cd $(REPO_PATH)
+		&& export GRADLE_VERSION=7.6 \
+		&& wget https://services.gradle.org/distributions/gradle-$$GRADLE_VERSION-bin.zip \
+		&& unzip -o gradle-$$GRADLE_VERSION-bin.zip \
+		&& rm -r gradle-$$GRADLE_VERSION-bin.zip \
+		&& gradle-$$GRADLE_VERSION/bin/gradle wrapper \
+		&& rm -rf gradle-$$GRADLE_VERSION \
+		&& cd $(REPO_PATH)
 
 # Install or upgrade an existing virtual environment based on the
 # package dependencies declared in pyproject.toml and go.mod.

README.md

@@ -164,12 +164,6 @@ make setup
 
 With that in place, you’re ready to build and contribute to Macaron!
 
-### Defining checks
-
-After cloning a repository, Macaron parses the CI configuration files and bash scripts that are triggered by the CI, creates call graphs and other intermediate representations as abstractions. Using such abstractions, Macaron implements concrete checks to gather facts and metadata based on a security specification.
-
-To learn how to define your own checks, see the steps in the [checks documentation](/src/macaron/slsa_analyzer/checks/README.md).
-
 ### Updating dependent packages
 
 It’s likely that during development you’ll add or update dependent packages in the `pyproject.toml` file, which requires an update to the virtual environment:

src/macaron/dependency_analyzer/cyclonedx.py

@@ -54,7 +54,7 @@ def deserialize_bom_json(file_path: Path) -> dict:
 
 
 def get_root_component(root_bom_path: Path) -> Optional[dict | None]:
-    """Get dependency components.
+    """Get the root dependency component.
 
     Parameters
     ----------
@@ -107,8 +107,8 @@ def get_dep_components(
         logger.error("The BOM file at %s misses components.", str(root_bom_path))
         return
 
-    dependencies = []
-    modules = set()  # Stores all module dependencies.
+    dependencies: list[str] = []
+    modules: set[str] = set()  # Stores all module dependencies.
     for child_path in child_bom_paths or []:
         try:
             bom_objects.append(deserialize_bom_json(child_path))

src/macaron/slsa_analyzer/analyzer.py

@@ -279,7 +279,6 @@ def resolve_dependencies(self, main_ctx: AnalyzeContext) -> dict[str, Dependency
                 with open(log_path, mode="a", encoding="utf-8") as log_file:
                     log_file.write(error.output.decode("utf-8"))
             except FileNotFoundError as error:
-                # Only happen if the gradlew at the repo dir has an invalid format
                 logger.error(error)
 
             # We collect the generated SBOM as a best effort, even if the build exits with errors.

src/macaron/slsa_analyzer/build_tool/base_build_tool.py

@@ -175,12 +175,12 @@ def get_build_dirs(self, repo_path: str) -> Iterable[Path]:
 
         list_iter = iter(sorted(config_paths, key=lambda x: (str(Path(x).parent), len(Path(x).parts))))
         try:
-            prefix = next(list_iter)
-            yield Path(prefix).parent.relative_to(repo_path)
+            cfg_path = next(list_iter)
+            yield Path(cfg_path).parent.relative_to(repo_path)
             while next_item := next(list_iter):
-                if str(Path(prefix).parent) in next_item:
+                if str(Path(cfg_path).parent) in next_item:
                     continue
-                prefix = next_item
+                cfg_path = next_item
                 yield Path(next_item).parent.relative_to(repo_path)
 
         except StopIteration: