Support defining a generic Git Service through defaults.ini for build tool detection

[tromai]

Problem

In Macaron, at this place

macaron/src/macaron/slsa_analyzer/analyzer.py

Lines 912 to 921 in a3842b4

	if isinstance(git_service, NoneGitService):
	logger.error("Unable to find repository or unsupported git service for %s", analyze_ctx.component.purl)
	else:
	logger.info(
	"Detected git service %s for %s.", git_service.name, analyze_ctx.component.repository.complete_name
	)
	analyze_ctx.dynamic_data["git_service"] = git_service
	# Determine the build tool.
	for build_tool in BUILD_TOOLS:

The build tool detection logic is only run if the git service of the target repository is supported by Macaron. This mean that git_service must be either GitLab or GitHub.

The git service detection requires the remote url to be of a known service (e.g. github.com or gitlab.com). See implementation here:

macaron/src/macaron/slsa_analyzer/git_service/base_git_service.py

Lines 71 to 95 in 71accbf

	def is_detected(self, url: str) -> bool:
	"""Check if the remote repo at the given ``url`` is hosted on this git service.
	This check is done by checking the URL of the repo against the hostname of this
	git service.
	Parameters
	----------
	url : str
	The url of the remote repo.
	Returns
	-------
	bool
	True if the repo is indeed hosted on this git service.
	"""
	if self.hostname is None:
	return False
	return (
	git_url.parse_remote_url(
	url,
	allowed_git_service_hostnames=[self.hostname],
	)
	is not None
	)

For a user to analyze an repository that is hosted on an unknown/not supported git service (e.g. bitbucket.org), they must first clone the repository into their filesystem and provide its local path to Macaron (i.e analyzing-a-locally-cloned-repository). Macaron will detect the remote URL of this local repository as it was from an unknown git service and will not run the build tool detection. This is an expected behavior.

However, there are some problems to this behavior:

• Theoretically, the build tool detection logic, which only looks statically into the files of the target repository, doesn't rely on the type of git or CI service for a repository.
• Given the scenario above, there aren't any checks that could possibly pass (other than the version_control_system, which always passes).

Solution

Due to the following reasons:

• A build tool can be detected regardless of the git service or CI service. However our current checks (e.g. build and provenance related checks) all rely on reachability via CI (which currently, we have great support for GitHub but not as much for other Git and CI service).
• Therefore, unless we come up with a check that doesn't rely on the git or CI service of a repo. The "if" statement here still makes sense

  macaron/src/macaron/slsa_analyzer/analyzer.py

  Line 912 in a3842b4

  if isinstance(git_service, NoneGitService):

With those reasons, we have decided to:

• Support a GenericGitService with the host name that the user define in defaults.ini. This will allow the build tool detection to run for the scenario of analyzing a local repository with unknown git service. (will be handled in this issue).
• Add a check called has_build_configs which relies only on the build tool detection and doesn't rely on git or CI service (TBD in a separated issue)
• Rename and modify the description of checks in Macaron to further reflects the changes (TBD in a separated issue)

[behnazh-w]

We had a related issue for supporting Bitbucket repos here, which cannot be detected even if they are provided as local repos: #332

[behnazh-w]

Rename and modify the description of checks in Macaron to further reflects the changes (TBD)
@tromai This is not related to this issue and will be handled separately.

[behnazh-w]

Add a check called has_build_configs which relies only on the build tool detection and doesn't rely on git or CI service (TBD)

Adding this check should also have a separate issue independent of adding a generic git service.

[behnazh-w]

The generic git service will is mainly be needed for local repos that are already cloned. So, we can call it LocalGitService.

[tromai]

The generic git service will is mainly be needed for local repos that are already cloned. So, we can call it LocalGitService.

Thanks for reviewing my problem statement.
I agree that we meant to use this "git service" for supporting local repos.
However, I think calling it LocalGitService can make people think it as a "git service" that they are running locally in their host machine, which is not correct to the use case we are supporting here. We are trying to support detecting a git service that Macaron doesn't know about, and that git service can have any host name depending on the user's configuration in defaults.ini. Therefore, this host name can be anything, whether it's a remote git service that Macaron doesn't support (e.g. bitbucket.org) or some self hosted git service of the user (e.g. internal_foo_bar.com). That is the reason why I chose GenericGitService as it would still be correct regardless of the type of git service the user is providing.
If we want to explicitly indicate that this git service entry should only be used for local repos, we can name it LocalReposGitService and update the documentation accordingly.
Please let me know what you think.

[tromai]

We had a related issue for supporting Bitbucket repos here, which cannot be detected even if they are provided as local repos: #332

Thanks for pointing it out. I have added it into PR #694 description.

Rename and modify the description of checks in Macaron to further reflects the changes (TBD)
Add a check called has_build_configs which relies only on the build tool detection and doesn't rely on git or CI service (TBD)

I think TBD was a bit too ambiguous here so I have updated it. I meant to say that we are going to address them in different issues. Thanks!