Skip to content

fix: accept from-provenance repos as scm authentic #1131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: accept from-provenance repos as scm authentic #1131

wants to merge 4 commits into from
+47 −19

Conversation

benmss
Copy link
Member

@benmss benmss commented Jul 22, 2025

Summary

This PR updates the SCM Authenticity check to allow acceptance of repository URLs found from provenance as being authentic.

Description of changes

The check is changed to allow non-Maven PURLs if they have provenance information with a from-repository URL. There are small changes compared to the Maven only implementation: The verification is automatically set to passed; the build tool is selected as either the first available, or set to unknown.

Related issues

Closes #1128

@benmss benmss added this to the Release version 0.17.0 milestone Jul 22, 2025
@benmss benmss self-assigned this Jul 22, 2025
@benmss benmss added the bug Something isn't working label Jul 22, 2025
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 22, 2025
@benmss benmss marked this pull request as ready for review July 22, 2025 06:44
@benmss benmss requested review from behnazh-w and tromai as code owners July 22, 2025 06:44
behnazh-w
behnazh-w reviewed Jul 22, 2025
View reviewed changes
Copy link
Member

@behnazh-w behnazh-w left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please pick an integration test that generates a provenance and make sure the scm authenticity passes?

Also, the description of the check on the index.rst needs to be adjusted.

@benmss benmss force-pushed the 1128-fix-scm-authenticity branch from b36d0b3 to b144f9c Compare July 23, 2025 06:08
@behnazh-w behnazh-w self-requested a review July 23, 2025 07:11
behnazh-w
behnazh-w reviewed Jul 23, 2025
View reviewed changes
src/macaron/slsa_analyzer/checks/scm_authenticity_check.py
status=verification_result.status.value,
build_tool=verification_result.build_tool.name,
confidence=Confidence.MEDIUM,
reason="From provenance",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not using the RepositoryVerificationResult to be consistent with the implementation for inference?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

@tromai tromai Awaiting requested review from tromai tromai is a code owner

Assignees

@benmss benmss

Labels
bug Something isn't working OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
Release version 0.17.0
Development

Successfully merging this pull request may close these issues.

SCM Authencitiy check should accept repositories found in provenance
2 participants
@benmss @behnazh-w