pkg:maven/com.simplaex/[email protected] got UNKNOWN for mcn_scm_authenticity_1, expect FAILED #1026
Description
Reproduce the issue
I ran this on Macaron at commit 9d5de67
# Assume the development environment has been setup
macaron analyze -purl pkg:maven/com.simplaex/[email protected]The issue
Macaron discovered the git repository for this PURL at https://github.com/simplaex/dummies. This is different from the expected git repository at https://github.com/simplaex/java-druid-client.
However, this is not Macaron fault as https://github.com/simplaex/dummies is defined in https://repo1.maven.org/maven2/com/simplaex/java-druid-client/1.2.0/java-druid-client-1.2.0.pom.
In additions, I was expecting mcn_scm_authenticity_1 check to failed instead of UNKNOWN.
2025-03-25 11:43:56,350 [macaron.slsa_analyzer.checks.base_check:run:95] [INFO] ----------------------------------
2025-03-25 11:43:56,350 [macaron.slsa_analyzer.checks.base_check:run:96] [INFO] BEGIN CHECK: mcn_scm_authenticity_1
2025-03-25 11:43:56,350 [macaron.slsa_analyzer.checks.base_check:run:97] [INFO] ----------------------------------
2025-03-25 11:43:56,350 [macaron.slsa_analyzer.checks.base_check:run:111] [INFO] Check mcn_scm_authenticity_1 run UNKNOWN on target pkg:maven/com.simplaex/[email protected].
2025-03-25 11:43:56,350 [macaron.slsa_analyzer.checks.base_check:run:117] [DEBUG] Check result: [(<Confidence.HIGH: 1.0>, ['Not Available.'])]