diff --git a/scripts/dev_scripts/integration_tests.sh b/scripts/dev_scripts/integration_tests.sh index 789f5eb34..86ca2e5ef 100755 --- a/scripts/dev_scripts/integration_tests.sh +++ b/scripts/dev_scripts/integration_tests.sh @@ -202,7 +202,7 @@ echo "apache/maven: Analyzing with PURL and repository path without dependency r echo -e "----------------------------------------------------------------------------------\n" JSON_EXPECTED=$WORKSPACE/tests/e2e/expected_results/purl/maven/maven.json JSON_RESULT=$WORKSPACE/output/reports/maven/apache/maven/maven.json -$RUN_MACARON analyze -purl pkg:maven/apache/maven -rp https://github.com/apache/maven -b master -d 6767f2500f1d005924ccff27f04350c253858a84 --skip-deps || log_fail +$RUN_MACARON analyze -purl pkg:maven/apache/maven -rp https://github.com/apache/maven -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b --skip-deps || log_fail check_or_update_expected_output $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail @@ -213,7 +213,7 @@ JSON_EXPECTED=$WORKSPACE/tests/e2e/expected_results/maven/maven.json JSON_RESULT=$WORKSPACE/output/reports/github_com/apache/maven/maven.json DEP_EXPECTED=$WORKSPACE/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json DEP_RESULT=$WORKSPACE/output/reports/github_com/apache/maven/dependencies.json -$RUN_MACARON analyze -rp https://github.com/apache/maven -b master -d 6767f2500f1d005924ccff27f04350c253858a84 || log_fail +$RUN_MACARON analyze -rp https://github.com/apache/maven -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b || log_fail check_or_update_expected_output $COMPARE_DEPS $DEP_RESULT $DEP_EXPECTED || log_fail @@ -226,7 +226,7 @@ SBOM_FILE=$WORKSPACE/tests/dependency_analyzer/cyclonedx/resources/apache_maven_ DEP_EXPECTED=$WORKSPACE/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json DEP_RESULT=$WORKSPACE/output/reports/github_com/apache/maven/dependencies.json -$RUN_MACARON analyze -rp https://github.com/apache/maven -b master -d 6767f2500f1d005924ccff27f04350c253858a84 -sbom "$SBOM_FILE" || log_fail +$RUN_MACARON analyze -rp https://github.com/apache/maven -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b -sbom "$SBOM_FILE" || log_fail check_or_update_expected_output $COMPARE_DEPS $DEP_RESULT $DEP_EXPECTED || log_fail @@ -350,7 +350,7 @@ echo "Test using the default template file." echo -e "----------------------------------------------------------------------------------\n" JSON_EXPECTED=$WORKSPACE/tests/e2e/expected_results/maven/maven.json JSON_RESULT=$WORKSPACE/output/reports/github_com/apache/maven/maven.json -$RUN_MACARON analyze -rp https://github.com/apache/maven --skip-deps -b master -d 6767f2500f1d005924ccff27f04350c253858a84 -g $WORKSPACE/src/macaron/output_reporter/templates/macaron.html || log_fail +$RUN_MACARON analyze -rp https://github.com/apache/maven --skip-deps -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b -g $WORKSPACE/src/macaron/output_reporter/templates/macaron.html || log_fail check_or_update_expected_output $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail @@ -399,7 +399,7 @@ JSON_EXPECTED=$WORKSPACE/tests/e2e/expected_results/maven/maven.json JSON_RESULT=$WORKSPACE/output/reports/github_com/apache/maven/maven.json DEP_EXPECTED=$WORKSPACE/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json DEP_RESULT=$WORKSPACE/output/reports/github_com/apache/maven/dependencies.json -$RUN_MACARON -lr $WORKSPACE/output/git_repos/github_com analyze -rp apache/maven -b master -d 6767f2500f1d005924ccff27f04350c253858a84 || log_fail +$RUN_MACARON -lr $WORKSPACE/output/git_repos/github_com analyze -rp apache/maven -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b || log_fail check_or_update_expected_output $COMPARE_DEPS $DEP_RESULT $DEP_EXPECTED || log_fail check_or_update_expected_output $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail @@ -435,7 +435,7 @@ declare -a COMPARE_FILES=( "mockito.json" ) -$RUN_MACARON -lr $WORKSPACE/output/git_repos/github_com/ analyze -rp apache/maven -b master -d 6767f2500f1d005924ccff27f04350c253858a84 --skip-deps || log_fail +$RUN_MACARON -lr $WORKSPACE/output/git_repos/github_com/ analyze -rp apache/maven -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b --skip-deps || log_fail for i in "${COMPARE_FILES[@]}" do check_or_update_expected_output $COMPARE_JSON_OUT $JSON_RESULT_DIR/$i $JSON_EXPECT_DIR/$i || log_fail @@ -451,7 +451,7 @@ git clone $WORKSPACE/output/git_repos/github_com/apache/maven $WORKSPACE/output/ JSON_EXPECTED=$WORKSPACE/output/reports/local_repos/maven/maven.json HTML_EXPECTED=$WORKSPACE/output/reports/local_repos/maven/maven.html -$RUN_MACARON -lr $WORKSPACE/output/git_repos/local_repos/ analyze -rp test_repo -b master -d 6767f2500f1d005924ccff27f04350c253858a84 --skip-deps || log_fail +$RUN_MACARON -lr $WORKSPACE/output/git_repos/local_repos/ analyze -rp test_repo -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b --skip-deps || log_fail # We don't compare the report content because the remote_path fields in the reports are undeterministic when running # this test locally and running it in the GitHub Actions runner. We only check if the reports are generated as diff --git a/scripts/dev_scripts/integration_tests_docker.sh b/scripts/dev_scripts/integration_tests_docker.sh index 9b01db797..53e0b5207 100755 --- a/scripts/dev_scripts/integration_tests_docker.sh +++ b/scripts/dev_scripts/integration_tests_docker.sh @@ -58,7 +58,7 @@ echo -e "----------------------------------------------------------------------- JSON_RESULT=$WORKSPACE/output/reports/github_com/apache/maven/maven.json JSON_EXPECTED=$WORKSPACE/tests/e2e/expected_results/maven/maven.json -$RUN_MACARON_SCRIPT -lr $WORKSPACE/output/git_repos/github_com analyze -r apache/maven -b master -d 6767f2500f1d005924ccff27f04350c253858a84 --skip-deps || log_fail +$RUN_MACARON_SCRIPT -lr $WORKSPACE/output/git_repos/github_com analyze -r apache/maven -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b --skip-deps || log_fail python $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail echo -e "\n----------------------------------------------------------------------------------" @@ -87,7 +87,7 @@ SBOM_FILE=$WORKSPACE/tests/dependency_analyzer/cyclonedx/resources/apache_maven_ DEP_EXPECTED=$WORKSPACE/tests/dependency_analyzer/expected_results/apache_maven_with_sbom_provided.json DEP_RESULT=$WORKSPACE/output/reports/github_com/apache/maven/dependencies.json -$RUN_MACARON_SCRIPT analyze -rp https://github.com/apache/maven -b master -d 6767f2500f1d005924ccff27f04350c253858a84 -sbom $SBOM_FILE || log_fail +$RUN_MACARON_SCRIPT analyze -rp https://github.com/apache/maven -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b -sbom $SBOM_FILE || log_fail python $COMPARE_DEPS $DEP_RESULT $DEP_EXPECTED || log_fail @@ -96,7 +96,7 @@ echo "apache/maven: Analyzing with PURL and repository path without dependency r echo -e "----------------------------------------------------------------------------------\n" JSON_EXPECTED=$WORKSPACE/tests/e2e/expected_results/purl/maven/maven.json JSON_RESULT=$WORKSPACE/output/reports/maven/apache/maven/maven.json -$RUN_MACARON_SCRIPT analyze -purl pkg:maven/apache/maven -rp https://github.com/apache/maven -b master -d 6767f2500f1d005924ccff27f04350c253858a84 --skip-deps || log_fail +$RUN_MACARON_SCRIPT analyze -purl pkg:maven/apache/maven -rp https://github.com/apache/maven -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b --skip-deps || log_fail python $COMPARE_JSON_OUT $JSON_RESULT $JSON_EXPECTED || log_fail diff --git a/src/macaron/dependency_analyzer/cyclonedx.py b/src/macaron/dependency_analyzer/cyclonedx.py index d3ff258ff..11be87b46 100644 --- a/src/macaron/dependency_analyzer/cyclonedx.py +++ b/src/macaron/dependency_analyzer/cyclonedx.py @@ -47,7 +47,7 @@ def deserialize_bom_json(file_path: Path) -> dict: # TODO: use the official CycloneDX library to validate and deserialize BOM files # once merged: https://github.com/CycloneDX/cyclonedx-python-lib/pull/290 if not os.path.exists(file_path): - raise CycloneDXParserError(f"Unable to locate the BOM file: {str(file_path)}.") + raise CycloneDXParserError(f"Unable to locate any BOM files at: {str(file_path.parent)}.") with open(file_path, encoding="utf8") as file: try: diff --git a/src/macaron/dependency_analyzer/cyclonedx_mvn.py b/src/macaron/dependency_analyzer/cyclonedx_mvn.py index cfd195746..6dacb6201 100644 --- a/src/macaron/dependency_analyzer/cyclonedx_mvn.py +++ b/src/macaron/dependency_analyzer/cyclonedx_mvn.py @@ -52,6 +52,13 @@ def get_cmd(self) -> list: def collect_dependencies(self, dir_path: str) -> dict[str, DependencyInfo]: """Process the dependency JSON files and collect direct dependencies. + We allow the dependency JSON files to be accepted as long as there is only one JSON file in the target + directory. If a file with the expected name is found, it is accepted, otherwise any lone file is accepted + instead. This is because projects can be configured to produce a custom named SBOM, which cannot be + overridden if included at the parent POM level. The presence of multiple JSON files within a target directory + differs too greatly from the expectations of the plugin's output. It is for this reason that an error is + thrown in such cases. + Parameters ---------- dir_path : str @@ -64,14 +71,36 @@ def collect_dependencies(self, dir_path: str) -> dict[str, DependencyInfo]: """ # Load the top level file separately as it has different content. top_path = Path(os.path.join(dir_path, "target", self.file_name)) + top_path_altered = False + if not os.path.exists(top_path): + # Check for other JSON files. + possible_paths = glob.glob(os.path.join(dir_path, "target", "*.json")) + if not possible_paths: + logger.debug("No JSON files found in target directory.") + return {} + if len(possible_paths) > 1: + logger.debug("Too many JSON SBOM files found. Expected: 1, Found: %s", len(possible_paths)) + return {} + top_path = Path(possible_paths[0]) + top_path_altered = True # Collect all the dependency files recursively. child_paths = [ Path(path) - for path in glob.glob(os.path.join(dir_path, "**", "target", self.file_name), recursive=True) + for path in glob.glob( + os.path.join(dir_path, "**", "target", "*.json" if top_path_altered else self.file_name), recursive=True + ) if Path(path) != top_path ] + # Ensure recursively found SBOMs are at most one per directory. + child_sbom_dir_names = set() + for path in child_paths: + child_sbom_dir_names.add(path.parent) + if len(child_sbom_dir_names) != len(child_paths): + logger.debug("Only one JSON SBOM file is permitted per child directory.") + return {} + # Check if the root BOM has been analyzed before as a child BOM. self.visited_deps.update(child_paths) if top_path in self.visited_deps: diff --git a/tests/dependency_analyzer/configurations/maven_config.yaml b/tests/dependency_analyzer/configurations/maven_config.yaml index 19577c482..ec0c271b7 100644 --- a/tests/dependency_analyzer/configurations/maven_config.yaml +++ b/tests/dependency_analyzer/configurations/maven_config.yaml @@ -1,8 +1,8 @@ -# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. target: id: apache/maven branch: master - digest: 6767f2500f1d005924ccff27f04350c253858a84 + digest: 3fc399318edef0d5ba593723a24fff64291d6f9b path: https://github.com/apache/maven.git diff --git a/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/multiple_named_sboms/target/custom_bom.json b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/multiple_named_sboms/target/custom_bom.json new file mode 100644 index 000000000..2c63c0851 --- /dev/null +++ b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/multiple_named_sboms/target/custom_bom.json @@ -0,0 +1,2 @@ +{ +} diff --git a/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/multiple_named_sboms/target/custom_bom_2.json b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/multiple_named_sboms/target/custom_bom_2.json new file mode 100644 index 000000000..2c63c0851 --- /dev/null +++ b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/multiple_named_sboms/target/custom_bom_2.json @@ -0,0 +1,2 @@ +{ +} diff --git a/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom/target/custom_bom.json b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom/target/custom_bom.json new file mode 100644 index 000000000..7bb4a30c2 --- /dev/null +++ b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom/target/custom_bom.json @@ -0,0 +1,116 @@ +{ + "bomFormat" : "CycloneDX", + "specVersion" : "1.4", + "serialNumber" : "urn:uuid:53576e41-735f-4da4-9249-7f63234ebd94", + "version" : 1, + "metadata" : { + "timestamp" : "2023-10-23T00:57:55Z", + "tools" : [ + { + "vendor" : "OWASP Foundation", + "name" : "CycloneDX Maven plugin", + "version" : "2.6.2", + "hashes" : [ + { + "alg" : "MD5", + "content" : "ff29fc50797fce0b33058a6b2b283f64" + }, + { + "alg" : "SHA-1", + "content" : "597e59ebf21c3b8bfb1faeb622569df324eca956" + }, + { + "alg" : "SHA-256", + "content" : "3cf9130fcac45a7beb6df2ae9c3fc9c062d1fddd0731d6a302968586f0aa586e" + }, + { + "alg" : "SHA-384", + "content" : "8111a6788c959305af23daecbc79defd4478c1e274cba65bfe860e09b30cd9fe29822d5d3d3eea608e4926a9418f92e3" + }, + { + "alg" : "SHA-512", + "content" : "2bea87b7bcd70897bf46a28a806b6064a6708d0a45e884e1ceddc25f97ca7bdf4ed190f30d9a28cc9416b6c66176d518c5876fd25bc06bdcb00d39367215e56e" + }, + { + "alg" : "SHA3-256", + "content" : "f0f7b771749955e7898665c2fff8f4f2cd734d9cbe4d29883292db772f1be00e" + }, + { + "alg" : "SHA3-384", + "content" : "a87d4c18bac4d48a46c0b8611ab92934e457fcd55bd4d39dbc9c4e5044d2736d3bda991c43d67b0987eddcf4c88510ff" + }, + { + "alg" : "SHA3-512", + "content" : "90c38f168600787fc90b7e37e743b386b7296bceb10152190de6e30e0f251da3e01698d1b1e11ad84f207532b5a0743aac105f3c5006ff4607d21f30c9ea779f" + } + ] + } + ], + "component" : { + "group" : "com.example", + "name" : "cyclonedx-test", + "version" : "1.0-SNAPSHOT", + "licenses" : [ ], + "purl" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar", + "type" : "library", + "bom-ref" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar" + } + }, + "components" : [ + { + "group" : "com.example", + "name" : "cyclonedx-test-dep", + "version" : "1", + "scope" : "optional", + "hashes" : [ + { + "alg" : "MD5", + "content" : "c7b63da4c25c163825cca671e7899fbe" + }, + { + "alg" : "SHA-1", + "content" : "5aa25ee1bf1ffd60b76f16fe0a8edd76f870958c" + }, + { + "alg" : "SHA-256", + "content" : "c38cef49f7676227c1d4cf98e59b96f7a6bf33704d10314d83d682acd2b47d10" + }, + { + "alg" : "SHA-384", + "content" : "7afa5feaa7d3a4ca4ecba7d4bd1b093e75be2ee2a25eefbc5fd90eb8b9a4712fa1a720265765a28d858fc64412dbed2b" + }, + { + "alg" : "SHA-512", + "content" : "bf69097c4c0d165e5521a918ee79c1e5e211e9e74410d48042994c4c6cf5788cf4d62129e7c0d7a22294835178398c91c31929ce6861068c71ea14059f6f6e56" + }, + { + "alg" : "SHA3-256", + "content" : "ba7656644f127c4b10d53c777aee2ed023ac3caf7f420ecb4ca48a909d775a17" + }, + { + "alg" : "SHA3-384", + "content" : "1244f326a9b0b165b27b0061f1fcdf2580e3b64681cc3f09df3afd9a4526ab5491a20213a8fb9edcc671fbae8b51a010" + }, + { + "alg" : "SHA3-512", + "content" : "e6020e5b9adbe61f1c53e575ab0c51b9eef7dbea3dbe21f970607002ed0373b322c893433fd429b04acde5eb58e1d9ca356a0ae9b6c485d239174f642082cb7a" + } + ], + "purl" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar", + "type" : "library", + "bom-ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar" + } + ], + "dependencies" : [ + { + "ref" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar", + "dependsOn" : [ + "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar", + "dependsOn" : [ ] + } + ] +} diff --git a/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_children/target/custom_bom.json b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_children/target/custom_bom.json new file mode 100644 index 000000000..7bb4a30c2 --- /dev/null +++ b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_children/target/custom_bom.json @@ -0,0 +1,116 @@ +{ + "bomFormat" : "CycloneDX", + "specVersion" : "1.4", + "serialNumber" : "urn:uuid:53576e41-735f-4da4-9249-7f63234ebd94", + "version" : 1, + "metadata" : { + "timestamp" : "2023-10-23T00:57:55Z", + "tools" : [ + { + "vendor" : "OWASP Foundation", + "name" : "CycloneDX Maven plugin", + "version" : "2.6.2", + "hashes" : [ + { + "alg" : "MD5", + "content" : "ff29fc50797fce0b33058a6b2b283f64" + }, + { + "alg" : "SHA-1", + "content" : "597e59ebf21c3b8bfb1faeb622569df324eca956" + }, + { + "alg" : "SHA-256", + "content" : "3cf9130fcac45a7beb6df2ae9c3fc9c062d1fddd0731d6a302968586f0aa586e" + }, + { + "alg" : "SHA-384", + "content" : "8111a6788c959305af23daecbc79defd4478c1e274cba65bfe860e09b30cd9fe29822d5d3d3eea608e4926a9418f92e3" + }, + { + "alg" : "SHA-512", + "content" : "2bea87b7bcd70897bf46a28a806b6064a6708d0a45e884e1ceddc25f97ca7bdf4ed190f30d9a28cc9416b6c66176d518c5876fd25bc06bdcb00d39367215e56e" + }, + { + "alg" : "SHA3-256", + "content" : "f0f7b771749955e7898665c2fff8f4f2cd734d9cbe4d29883292db772f1be00e" + }, + { + "alg" : "SHA3-384", + "content" : "a87d4c18bac4d48a46c0b8611ab92934e457fcd55bd4d39dbc9c4e5044d2736d3bda991c43d67b0987eddcf4c88510ff" + }, + { + "alg" : "SHA3-512", + "content" : "90c38f168600787fc90b7e37e743b386b7296bceb10152190de6e30e0f251da3e01698d1b1e11ad84f207532b5a0743aac105f3c5006ff4607d21f30c9ea779f" + } + ] + } + ], + "component" : { + "group" : "com.example", + "name" : "cyclonedx-test", + "version" : "1.0-SNAPSHOT", + "licenses" : [ ], + "purl" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar", + "type" : "library", + "bom-ref" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar" + } + }, + "components" : [ + { + "group" : "com.example", + "name" : "cyclonedx-test-dep", + "version" : "1", + "scope" : "optional", + "hashes" : [ + { + "alg" : "MD5", + "content" : "c7b63da4c25c163825cca671e7899fbe" + }, + { + "alg" : "SHA-1", + "content" : "5aa25ee1bf1ffd60b76f16fe0a8edd76f870958c" + }, + { + "alg" : "SHA-256", + "content" : "c38cef49f7676227c1d4cf98e59b96f7a6bf33704d10314d83d682acd2b47d10" + }, + { + "alg" : "SHA-384", + "content" : "7afa5feaa7d3a4ca4ecba7d4bd1b093e75be2ee2a25eefbc5fd90eb8b9a4712fa1a720265765a28d858fc64412dbed2b" + }, + { + "alg" : "SHA-512", + "content" : "bf69097c4c0d165e5521a918ee79c1e5e211e9e74410d48042994c4c6cf5788cf4d62129e7c0d7a22294835178398c91c31929ce6861068c71ea14059f6f6e56" + }, + { + "alg" : "SHA3-256", + "content" : "ba7656644f127c4b10d53c777aee2ed023ac3caf7f420ecb4ca48a909d775a17" + }, + { + "alg" : "SHA3-384", + "content" : "1244f326a9b0b165b27b0061f1fcdf2580e3b64681cc3f09df3afd9a4526ab5491a20213a8fb9edcc671fbae8b51a010" + }, + { + "alg" : "SHA3-512", + "content" : "e6020e5b9adbe61f1c53e575ab0c51b9eef7dbea3dbe21f970607002ed0373b322c893433fd429b04acde5eb58e1d9ca356a0ae9b6c485d239174f642082cb7a" + } + ], + "purl" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar", + "type" : "library", + "bom-ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar" + } + ], + "dependencies" : [ + { + "ref" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar", + "dependsOn" : [ + "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar", + "dependsOn" : [ ] + } + ] +} diff --git a/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_children/target/target/custom_bom.json b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_children/target/target/custom_bom.json new file mode 100644 index 000000000..7bb4a30c2 --- /dev/null +++ b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_children/target/target/custom_bom.json @@ -0,0 +1,116 @@ +{ + "bomFormat" : "CycloneDX", + "specVersion" : "1.4", + "serialNumber" : "urn:uuid:53576e41-735f-4da4-9249-7f63234ebd94", + "version" : 1, + "metadata" : { + "timestamp" : "2023-10-23T00:57:55Z", + "tools" : [ + { + "vendor" : "OWASP Foundation", + "name" : "CycloneDX Maven plugin", + "version" : "2.6.2", + "hashes" : [ + { + "alg" : "MD5", + "content" : "ff29fc50797fce0b33058a6b2b283f64" + }, + { + "alg" : "SHA-1", + "content" : "597e59ebf21c3b8bfb1faeb622569df324eca956" + }, + { + "alg" : "SHA-256", + "content" : "3cf9130fcac45a7beb6df2ae9c3fc9c062d1fddd0731d6a302968586f0aa586e" + }, + { + "alg" : "SHA-384", + "content" : "8111a6788c959305af23daecbc79defd4478c1e274cba65bfe860e09b30cd9fe29822d5d3d3eea608e4926a9418f92e3" + }, + { + "alg" : "SHA-512", + "content" : "2bea87b7bcd70897bf46a28a806b6064a6708d0a45e884e1ceddc25f97ca7bdf4ed190f30d9a28cc9416b6c66176d518c5876fd25bc06bdcb00d39367215e56e" + }, + { + "alg" : "SHA3-256", + "content" : "f0f7b771749955e7898665c2fff8f4f2cd734d9cbe4d29883292db772f1be00e" + }, + { + "alg" : "SHA3-384", + "content" : "a87d4c18bac4d48a46c0b8611ab92934e457fcd55bd4d39dbc9c4e5044d2736d3bda991c43d67b0987eddcf4c88510ff" + }, + { + "alg" : "SHA3-512", + "content" : "90c38f168600787fc90b7e37e743b386b7296bceb10152190de6e30e0f251da3e01698d1b1e11ad84f207532b5a0743aac105f3c5006ff4607d21f30c9ea779f" + } + ] + } + ], + "component" : { + "group" : "com.example", + "name" : "cyclonedx-test", + "version" : "1.0-SNAPSHOT", + "licenses" : [ ], + "purl" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar", + "type" : "library", + "bom-ref" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar" + } + }, + "components" : [ + { + "group" : "com.example", + "name" : "cyclonedx-test-dep", + "version" : "1", + "scope" : "optional", + "hashes" : [ + { + "alg" : "MD5", + "content" : "c7b63da4c25c163825cca671e7899fbe" + }, + { + "alg" : "SHA-1", + "content" : "5aa25ee1bf1ffd60b76f16fe0a8edd76f870958c" + }, + { + "alg" : "SHA-256", + "content" : "c38cef49f7676227c1d4cf98e59b96f7a6bf33704d10314d83d682acd2b47d10" + }, + { + "alg" : "SHA-384", + "content" : "7afa5feaa7d3a4ca4ecba7d4bd1b093e75be2ee2a25eefbc5fd90eb8b9a4712fa1a720265765a28d858fc64412dbed2b" + }, + { + "alg" : "SHA-512", + "content" : "bf69097c4c0d165e5521a918ee79c1e5e211e9e74410d48042994c4c6cf5788cf4d62129e7c0d7a22294835178398c91c31929ce6861068c71ea14059f6f6e56" + }, + { + "alg" : "SHA3-256", + "content" : "ba7656644f127c4b10d53c777aee2ed023ac3caf7f420ecb4ca48a909d775a17" + }, + { + "alg" : "SHA3-384", + "content" : "1244f326a9b0b165b27b0061f1fcdf2580e3b64681cc3f09df3afd9a4526ab5491a20213a8fb9edcc671fbae8b51a010" + }, + { + "alg" : "SHA3-512", + "content" : "e6020e5b9adbe61f1c53e575ab0c51b9eef7dbea3dbe21f970607002ed0373b322c893433fd429b04acde5eb58e1d9ca356a0ae9b6c485d239174f642082cb7a" + } + ], + "purl" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar", + "type" : "library", + "bom-ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar" + } + ], + "dependencies" : [ + { + "ref" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar", + "dependsOn" : [ + "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar", + "dependsOn" : [ ] + } + ] +} diff --git a/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/custom_bom.json b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/custom_bom.json new file mode 100644 index 000000000..2c63c0851 --- /dev/null +++ b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/custom_bom.json @@ -0,0 +1,2 @@ +{ +} diff --git a/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/target/custom_bom.json b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/target/custom_bom.json new file mode 100644 index 000000000..2c63c0851 --- /dev/null +++ b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/target/custom_bom.json @@ -0,0 +1,2 @@ +{ +} diff --git a/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/target/custom_bom_2.json b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/target/custom_bom_2.json new file mode 100644 index 000000000..2c63c0851 --- /dev/null +++ b/tests/dependency_analyzer/cyclonedx/resources/sbom_name_tests/single_named_sbom_with_multiple_children/target/target/custom_bom_2.json @@ -0,0 +1,2 @@ +{ +} diff --git a/tests/dependency_analyzer/cyclonedx/test_cyclonedx.py b/tests/dependency_analyzer/cyclonedx/test_cyclonedx.py index d7baf180e..e05e24307 100644 --- a/tests/dependency_analyzer/cyclonedx/test_cyclonedx.py +++ b/tests/dependency_analyzer/cyclonedx/test_cyclonedx.py @@ -15,6 +15,7 @@ get_dep_components, get_deps_from_sbom, ) +from macaron.dependency_analyzer.cyclonedx_mvn import CycloneDxMaven from macaron.dependency_analyzer.dependency_resolver import DependencyInfo RESOURCES_DIR = Path(__file__).parent.joinpath("resources") @@ -106,3 +107,15 @@ def test_multiple_versions(snapshot: dict[str, DependencyInfo]) -> None: bom_path = Path(RESOURCES_DIR, "bom_multi_versions.json") result = get_deps_from_sbom(bom_path) assert snapshot == result + + +def test_custom_sbom_name_with_maven() -> None: + """Test reading cyclonedx maven sbom that was created using a custom name.""" + cyclonedx: CycloneDxMaven = CycloneDxMaven( + "", "bom.json", "", defaults.get("dependency.resolver", "dep_tool_maven"), "" + ) + custom_bom_dir = RESOURCES_DIR.joinpath("sbom_name_tests") + assert cyclonedx.collect_dependencies(str(custom_bom_dir.joinpath("single_named_sbom"))) + assert cyclonedx.collect_dependencies(str(custom_bom_dir.joinpath("single_named_sbom_with_children"))) + assert not cyclonedx.collect_dependencies(str(custom_bom_dir.joinpath("single_named_sbom_with_multiple_children"))) + assert not cyclonedx.collect_dependencies(str(custom_bom_dir.joinpath("multiple_named_sboms"))) diff --git a/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json b/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json index 6e228010d..78b36cb55 100644 --- a/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json +++ b/tests/dependency_analyzer/expected_results/cyclonedx_apache_maven.json @@ -1,7 +1,7 @@ [ { - "id": "org.junit.jupiter:junit-jupiter-engine", - "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-engine@5.8.1?type=jar", + "id": "org.junit.jupiter:junit-jupiter-api", + "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-api@5.10.0?type=jar", "path": "https://github.com/junit-team/junit5", "branch": "", "digest": "", @@ -19,52 +19,52 @@ }, { "id": "org.eclipse.sisu:org.eclipse.sisu.plexus", - "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.5?type=jar", - "path": "", + "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.9.0.M2?type=jar", + "path": "https://github.com/eclipse/sisu.plexus", "branch": "", "digest": "", - "note": "Manual configuration required. Could not find SCM URL.", - "available": "MISSING REPO URL" + "note": "", + "available": "AVAILABLE" }, { - "id": "org.codehaus.plexus:plexus-utils", - "purl": "pkg:maven/org.codehaus.plexus/plexus-utils@3.3.0?type=jar", - "path": "https://github.com/codehaus-plexus/plexus-utils", + "id": "commons-cli:commons-cli", + "purl": "pkg:maven/commons-cli/commons-cli@1.5.0?type=jar", + "path": "https://github.com/apache/maven-apache-parent", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.codehaus.plexus:plexus-classworlds", - "purl": "pkg:maven/org.codehaus.plexus/plexus-classworlds@2.6.0?type=jar", - "path": "https://github.com/codehaus-plexus/plexus-classworlds", + "id": "org.apache.maven.wagon:wagon-http", + "purl": "pkg:maven/org.apache.maven.wagon/wagon-http@3.5.3?type=jar", + "path": "https://github.com/apache/maven-wagon", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.slf4j:slf4j-api", - "purl": "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", - "path": "https://github.com/qos-ch/slf4j", + "id": "org.apache.maven.wagon:wagon-file", + "purl": "pkg:maven/org.apache.maven.wagon/wagon-file@3.5.3?type=jar", + "path": "https://github.com/apache/maven-wagon", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.apache.maven.shared:maven-shared-utils", - "purl": "pkg:maven/org.apache.maven.shared/maven-shared-utils@3.3.4?type=jar", - "path": "https://github.com/apache/maven-shared-utils", + "id": "org.slf4j:jcl-over-slf4j", + "purl": "pkg:maven/org.slf4j/jcl-over-slf4j@1.7.36?type=jar", + "path": "https://github.com/qos-ch/slf4j", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.apache.maven.resolver:maven-resolver-api", - "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-api@1.8.0?type=jar", + "id": "org.apache.maven.resolver:maven-resolver-connector-basic", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-connector-basic@1.9.16?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", @@ -72,44 +72,44 @@ "available": "AVAILABLE" }, { - "id": "org.apache.maven.resolver:maven-resolver-util", - "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-util@1.8.0?type=jar", + "id": "org.apache.maven.resolver:maven-resolver-transport-file", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-file@1.9.16?type=jar", "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-resolver is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "", + "available": "AVAILABLE" }, { - "id": "com.google.inject:guice", - "purl": "pkg:maven/com.google.inject/guice@4.2.3?classifier=no_aop&type=jar", - "path": "https://github.com/google/guice", + "id": "org.apache.maven.resolver:maven-resolver-transport-http", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-http@1.9.16?type=jar", + "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "com.google.guava:guava", - "purl": "pkg:maven/com.google.guava/guava@30.1-jre?type=jar", - "path": "https://github.com/google/guava", + "id": "org.apache.maven.resolver:maven-resolver-transport-wagon", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-wagon@1.9.16?type=jar", + "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "com.google.guava:failureaccess", - "purl": "pkg:maven/com.google.guava/failureaccess@1.0.1?type=jar", - "path": "https://github.com/google/guava", + "id": "org.fusesource.jansi:jansi", + "purl": "pkg:maven/org.fusesource.jansi/jansi@2.4.1?type=jar", + "path": "https://github.com/fusesource/jansi", "branch": "", "digest": "", - "note": "https://github.com/google/guava is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "", + "available": "AVAILABLE" }, { - "id": "javax.inject:javax.inject", - "purl": "pkg:maven/javax.inject/javax.inject@1?type=jar", + "id": "org.ow2.asm:asm", + "purl": "pkg:maven/org.ow2.asm/asm@9.5?type=jar", "path": "", "branch": "", "digest": "", @@ -117,71 +117,71 @@ "available": "MISSING REPO URL" }, { - "id": "javax.annotation:javax.annotation-api", - "purl": "pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar", - "path": "https://github.com/javaee/javax.annotation", + "id": "org.apache.maven.resolver:maven-resolver-api", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-api@1.9.16?type=jar", + "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.codehaus.plexus:plexus-sec-dispatcher", - "purl": "pkg:maven/org.codehaus.plexus/plexus-sec-dispatcher@2.0?type=jar", - "path": "https://github.com/codehaus-plexus/plexus-sec-dispatcher", + "id": "org.apache.maven.resolver:maven-resolver-util", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-util@1.9.16?type=jar", + "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.codehaus.plexus:plexus-cipher", - "purl": "pkg:maven/org.codehaus.plexus/plexus-cipher@2.0?type=jar", - "path": "https://github.com/codehaus-plexus/plexus-cipher", + "id": "org.apache.maven.resolver:maven-resolver-impl", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-impl@1.9.16?type=jar", + "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.slf4j:slf4j-simple", - "purl": "pkg:maven/org.slf4j/slf4j-simple@1.7.32?type=jar", - "path": "https://github.com/qos-ch/slf4j", + "id": "javax.inject:javax.inject", + "purl": "pkg:maven/javax.inject/javax.inject@1?type=jar", + "path": "", "branch": "", "digest": "", - "note": "https://github.com/qos-ch/slf4j is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "Manual configuration required. Could not find SCM URL.", + "available": "MISSING REPO URL" }, { - "id": "ch.qos.logback:logback-classic", - "purl": "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", - "path": "https://github.com/ceki/logback", + "id": "org.codehaus.plexus:plexus-interpolation", + "purl": "pkg:maven/org.codehaus.plexus/plexus-interpolation@1.26?type=jar", + "path": "https://github.com/codehaus-plexus/plexus-interpolation", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "commons-cli:commons-cli", - "purl": "pkg:maven/commons-cli/commons-cli@1.5.0?type=jar", - "path": "https://github.com/apache/maven-apache-parent", + "id": "org.apache.maven.wagon:wagon-provider-api", + "purl": "pkg:maven/org.apache.maven.wagon/wagon-provider-api@3.5.3?type=jar", + "path": "https://github.com/apache/maven-wagon", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.apache.commons:commons-lang3", - "purl": "pkg:maven/org.apache.commons/commons-lang3@3.12.0?type=jar", - "path": "https://github.com/apache/maven-apache-parent", + "id": "org.codehaus.plexus:plexus-testing", + "purl": "pkg:maven/org.codehaus.plexus/plexus-testing@1.0.0?type=jar", + "path": "https://github.com/codehaus-plexus/plexus-testing", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-apache-parent is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "", + "available": "AVAILABLE" }, { "id": "org.mockito:mockito-core", - "purl": "pkg:maven/org.mockito/mockito-core@3.2.0?type=jar", + "purl": "pkg:maven/org.mockito/mockito-core@5.2.0?type=jar", "path": "https://github.com/mockito/mockito", "branch": "", "digest": "", @@ -189,117 +189,117 @@ "available": "AVAILABLE" }, { - "id": "org.fusesource.jansi:jansi", - "purl": "pkg:maven/org.fusesource.jansi/jansi@2.4.0?type=jar", - "path": "https://github.com/fusesource/jansi", + "id": "org.apache.maven.resolver:maven-resolver-spi", + "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-spi@1.9.16?type=jar", + "path": "https://github.com/apache/maven-resolver", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.apache.maven.wagon:wagon-http", - "purl": "pkg:maven/org.apache.maven.wagon/wagon-http@3.5.1?type=jar", - "path": "https://github.com/apache/maven-wagon", + "id": "commons-io:commons-io", + "purl": "pkg:maven/commons-io/commons-io@2.11.0?type=jar", + "path": "https://github.com/apache/maven-apache-parent", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.apache.maven.wagon:wagon-file", - "purl": "pkg:maven/org.apache.maven.wagon/wagon-file@3.5.1?type=jar", - "path": "https://github.com/apache/maven-wagon", + "id": "org.eclipse.sisu:org.eclipse.sisu.inject", + "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.inject@0.9.0.M2?classifier=no_asm&type=jar", + "path": "https://github.com/eclipse/sisu.inject", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-wagon is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "", + "available": "AVAILABLE" }, { - "id": "org.slf4j:jcl-over-slf4j", - "purl": "pkg:maven/org.slf4j/jcl-over-slf4j@1.7.32?type=jar", - "path": "https://github.com/qos-ch/slf4j", + "id": "com.google.inject:guice", + "purl": "pkg:maven/com.google.inject/guice@5.1.0?classifier=classes&type=jar", + "path": "https://github.com/google/guice", "branch": "", "digest": "", - "note": "https://github.com/qos-ch/slf4j is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "", + "available": "AVAILABLE" }, { - "id": "org.apache.maven.resolver:maven-resolver-connector-basic", - "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-connector-basic@1.8.0?type=jar", - "path": "https://github.com/apache/maven-resolver", + "id": "com.google.guava:guava", + "purl": "pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar", + "path": "https://github.com/google/guava", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-resolver is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "", + "available": "AVAILABLE" }, { - "id": "org.apache.maven.resolver:maven-resolver-transport-file", - "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-file@1.8.0?type=jar", - "path": "https://github.com/apache/maven-resolver", + "id": "com.google.guava:failureaccess", + "purl": "pkg:maven/com.google.guava/failureaccess@1.0.1?type=jar", + "path": "https://github.com/google/guava", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-resolver is already analyzed.", + "note": "https://github.com/google/guava is already analyzed.", "available": "DUPLICATED REPO URL" }, { - "id": "org.apache.maven.resolver:maven-resolver-transport-http", - "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-http@1.8.0?type=jar", - "path": "https://github.com/apache/maven-resolver", + "id": "org.codehaus.plexus:plexus-classworlds", + "purl": "pkg:maven/org.codehaus.plexus/plexus-classworlds@2.6.0?type=jar", + "path": "https://github.com/codehaus-plexus/plexus-classworlds", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-resolver is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "", + "available": "AVAILABLE" }, { - "id": "org.apache.maven.resolver:maven-resolver-transport-wagon", - "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-transport-wagon@1.8.0?type=jar", - "path": "https://github.com/apache/maven-resolver", + "id": "org.slf4j:slf4j-api", + "purl": "pkg:maven/org.slf4j/slf4j-api@1.7.36?type=jar", + "path": "https://github.com/qos-ch/slf4j", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-resolver is already analyzed.", + "note": "https://github.com/qos-ch/slf4j is already analyzed.", "available": "DUPLICATED REPO URL" }, { - "id": "org.codehaus.plexus:plexus-interpolation", - "purl": "pkg:maven/org.codehaus.plexus/plexus-interpolation@1.26?type=jar", - "path": "https://github.com/codehaus-plexus/plexus-interpolation", + "id": "org.slf4j:slf4j-simple", + "purl": "pkg:maven/org.slf4j/slf4j-simple@1.7.36?type=jar", + "path": "https://github.com/qos-ch/slf4j", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/qos-ch/slf4j is already analyzed.", + "available": "DUPLICATED REPO URL" }, { - "id": "org.apache.maven.resolver:maven-resolver-impl", - "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-impl@1.8.0?type=jar", - "path": "https://github.com/apache/maven-resolver", + "id": "commons-jxpath:commons-jxpath", + "purl": "pkg:maven/commons-jxpath/commons-jxpath@1.3?type=jar", + "path": "", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-resolver is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "Manual configuration required. Could not find SCM URL.", + "available": "MISSING REPO URL" }, { - "id": "org.codehaus.plexus:plexus-component-annotations", - "purl": "pkg:maven/org.codehaus.plexus/plexus-component-annotations@2.1.0?type=jar", - "path": "https://github.com/codehaus-plexus/plexus-containers", + "id": "org.mockito:mockito-inline", + "purl": "pkg:maven/org.mockito/mockito-inline@5.2.0?type=jar", + "path": "https://github.com/mockito/mockito", "branch": "", "digest": "", - "note": "", - "available": "AVAILABLE" + "note": "https://github.com/mockito/mockito is already analyzed.", + "available": "DUPLICATED REPO URL" }, { - "id": "org.apache.maven.wagon:wagon-provider-api", - "purl": "pkg:maven/org.apache.maven.wagon/wagon-provider-api@3.5.1?type=jar", - "path": "https://github.com/apache/maven-wagon", + "id": "org.hamcrest:hamcrest-library", + "purl": "pkg:maven/org.hamcrest/hamcrest-library@2.2?type=jar", + "path": "https://github.com/hamcrest/JavaHamcrest", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-wagon is already analyzed.", + "note": "https://github.com/hamcrest/JavaHamcrest is already analyzed.", "available": "DUPLICATED REPO URL" }, { - "id": "org.codehaus.plexus:plexus-testing", - "purl": "pkg:maven/org.codehaus.plexus/plexus-testing@1.0.0?type=jar", - "path": "https://github.com/codehaus-plexus/plexus-testing", + "id": "org.xmlunit:xmlunit-assertj", + "purl": "pkg:maven/org.xmlunit/xmlunit-assertj@2.6.4?type=jar", + "path": "https://github.com/xmlunit/xmlunit", "branch": "", "digest": "", "note": "", @@ -307,7 +307,7 @@ }, { "id": "org.junit.jupiter:junit-jupiter-params", - "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-params@5.8.1?type=jar", + "purl": "pkg:maven/org.junit.jupiter/junit-jupiter-params@5.10.0?type=jar", "path": "https://github.com/junit-team/junit5", "branch": "", "digest": "", @@ -315,31 +315,40 @@ "available": "DUPLICATED REPO URL" }, { - "id": "org.xmlunit:xmlunit-assertj", - "purl": "pkg:maven/org.xmlunit/xmlunit-assertj@2.6.4?type=jar", - "path": "https://github.com/xmlunit/xmlunit", + "id": "javax.annotation:javax.annotation-api", + "purl": "pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar", + "path": "https://github.com/javaee/javax.annotation", "branch": "", "digest": "", "note": "", "available": "AVAILABLE" }, { - "id": "org.hamcrest:hamcrest-library", - "purl": "pkg:maven/org.hamcrest/hamcrest-library@2.2?type=jar", - "path": "https://github.com/hamcrest/JavaHamcrest", + "id": "org.codehaus.plexus:plexus-sec-dispatcher", + "purl": "pkg:maven/org.codehaus.plexus/plexus-sec-dispatcher@2.0?type=jar", + "path": "https://github.com/codehaus-plexus/plexus-sec-dispatcher", "branch": "", "digest": "", - "note": "https://github.com/hamcrest/JavaHamcrest is already analyzed.", - "available": "DUPLICATED REPO URL" + "note": "", + "available": "AVAILABLE" }, { - "id": "org.eclipse.sisu:org.eclipse.sisu.inject", - "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.inject@0.3.5?type=jar", - "path": "", + "id": "org.codehaus.plexus:plexus-cipher", + "purl": "pkg:maven/org.codehaus.plexus/plexus-cipher@2.0?type=jar", + "path": "https://github.com/codehaus-plexus/plexus-cipher", "branch": "", "digest": "", - "note": "Manual configuration required. Could not find SCM URL.", - "available": "MISSING REPO URL" + "note": "", + "available": "AVAILABLE" + }, + { + "id": "ch.qos.logback:logback-classic", + "purl": "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", + "path": "https://github.com/ceki/logback", + "branch": "", + "digest": "", + "note": "", + "available": "AVAILABLE" }, { "id": "org.xmlunit:xmlunit-core", @@ -360,21 +369,39 @@ "available": "DUPLICATED REPO URL" }, { - "id": "org.apache.maven.resolver:maven-resolver-spi", - "purl": "pkg:maven/org.apache.maven.resolver/maven-resolver-spi@1.8.0?type=jar", - "path": "https://github.com/apache/maven-resolver", + "id": "org.codehaus.plexus:plexus-xml", + "purl": "pkg:maven/org.codehaus.plexus/plexus-xml@4.0.1?type=jar", + "path": "https://github.com/codehaus-plexus/plexus-xml", + "branch": "", + "digest": "", + "note": "", + "available": "AVAILABLE" + }, + { + "id": "org.openjdk.jmh:jmh-core", + "purl": "pkg:maven/org.openjdk.jmh/jmh-core@1.36?type=jar", + "path": "https://github.com/openjdk/jmh", "branch": "", "digest": "", - "note": "https://github.com/apache/maven-resolver is already analyzed.", + "note": "", + "available": "AVAILABLE" + }, + { + "id": "org.openjdk.jmh:jmh-generator-annprocess", + "purl": "pkg:maven/org.openjdk.jmh/jmh-generator-annprocess@1.36?type=jar", + "path": "https://github.com/openjdk/jmh", + "branch": "", + "digest": "", + "note": "https://github.com/openjdk/jmh is already analyzed.", "available": "DUPLICATED REPO URL" }, { - "id": "commons-jxpath:commons-jxpath", - "purl": "pkg:maven/commons-jxpath/commons-jxpath@1.3?type=jar", - "path": "", + "id": "com.fasterxml.woodstox:woodstox-core", + "purl": "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.5.1?type=jar", + "path": "https://github.com/FasterXML/woodstox", "branch": "", "digest": "", - "note": "Manual configuration required. Could not find SCM URL.", - "available": "MISSING REPO URL" + "note": "", + "available": "AVAILABLE" } ] diff --git a/tests/e2e/configurations/maven_config.yaml b/tests/e2e/configurations/maven_config.yaml index e95a58955..345cb1cfb 100644 --- a/tests/e2e/configurations/maven_config.yaml +++ b/tests/e2e/configurations/maven_config.yaml @@ -1,10 +1,10 @@ -# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. target: id: apache/maven branch: master - digest: 6767f2500f1d005924ccff27f04350c253858a84 + digest: 3fc399318edef0d5ba593723a24fff64291d6f9b path: https://github.com/apache/maven.git dependencies: diff --git a/tests/e2e/configurations/maven_digest_no_branch.yaml b/tests/e2e/configurations/maven_digest_no_branch.yaml index f7911a565..8d882365e 100644 --- a/tests/e2e/configurations/maven_digest_no_branch.yaml +++ b/tests/e2e/configurations/maven_digest_no_branch.yaml @@ -1,8 +1,8 @@ -# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. target: id: apache/maven branch: '' - digest: 6767f2500f1d005924ccff27f04350c253858a84 + digest: 3fc399318edef0d5ba593723a24fff64291d6f9b path: https://github.com/apache/maven.git diff --git a/tests/e2e/configurations/maven_local_path.yaml b/tests/e2e/configurations/maven_local_path.yaml index 813dc2841..bdf7904f7 100644 --- a/tests/e2e/configurations/maven_local_path.yaml +++ b/tests/e2e/configurations/maven_local_path.yaml @@ -1,10 +1,10 @@ -# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. target: id: apache/maven branch: master - digest: 6767f2500f1d005924ccff27f04350c253858a84 + digest: 3fc399318edef0d5ba593723a24fff64291d6f9b path: apache/maven dependencies: diff --git a/tests/e2e/expected_results/maven/maven.json b/tests/e2e/expected_results/maven/maven.json index d33a87a2f..f919a8a84 100644 --- a/tests/e2e/expected_results/maven/maven.json +++ b/tests/e2e/expected_results/maven/maven.json @@ -1,15 +1,16 @@ { "metadata": { - "timestamps": "2023-09-12 17:28:08" + "timestamps": "2023-11-02 15:56:10", + "has_passing_check": true }, "target": { "info": { - "full_name": "pkg:github.com/apache/maven@6767f2500f1d005924ccff27f04350c253858a84", + "full_name": "pkg:github.com/apache/maven@3fc399318edef0d5ba593723a24fff64291d6f9b", "local_cloned_path": "git_repos/github_com/apache/maven", "remote_path": "https://github.com/apache/maven", "branch": "master", - "commit_hash": "6767f2500f1d005924ccff27f04350c253858a84", - "commit_date": "2022-05-29T13:35:24+02:00" + "commit_hash": "3fc399318edef0d5ba593723a24fff64291d6f9b", + "commit_date": "2023-10-20T21:20:23+02:00" }, "provenances": { "is_inferred": true, @@ -21,16 +22,16 @@ "predicateType": "https://slsa.dev/provenance/v0.2", "predicate": { "builder": { - "id": "" + "id": "https://github.com/apache/maven/blob/3fc399318edef0d5ba593723a24fff64291d6f9b/.github/workflows/maven.yml" }, - "buildType": "", + "buildType": "Custom github_actions", "invocation": { "configSource": { - "uri": "", + "uri": "https://github.com/apache/maven.git@refs/heads/master", "digest": { - "sha1": "" + "sha1": "3fc399318edef0d5ba593723a24fff64291d6f9b" }, - "entryPoint": "" + "entryPoint": "https://github.com/apache/maven/blob/3fc399318edef0d5ba593723a24fff64291d6f9b/.github/workflows/maven.yml" }, "parameters": {}, "environment": {} @@ -40,7 +41,7 @@ "stepID": "" }, "metadata": { - "buildInvocationId": "", + "buildInvocationId": "", "buildStartedOn": "", "buildFinishedOn": "", "completeness": { @@ -66,16 +67,16 @@ "predicateType": "https://slsa.dev/provenance/v0.2", "predicate": { "builder": { - "id": "Jenkinsfile" + "id": "" }, - "buildType": "Custom jenkins", + "buildType": "", "invocation": { "configSource": { - "uri": "https://github.com/apache/maven@refs/heads/master", + "uri": "", "digest": { - "sha1": "6767f2500f1d005924ccff27f04350c253858a84" + "sha1": "" }, - "entryPoint": "Jenkinsfile" + "entryPoint": "" }, "parameters": {}, "environment": {} @@ -110,23 +111,12 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 6, - "PASSED": 4, + "FAILED": 7, + "PASSED": 3, "SKIPPED": 0, "UNKNOWN": 0 }, "results": [ - { - "check_id": "mcn_build_as_code_1", - "check_description": "The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.", - "slsa_requirements": [ - "Build as code - SLSA Level 3" - ], - "justification": [ - "The target repository uses build tool maven in jenkins using artifactsPublisher to deploy." - ], - "result_type": "PASSED" - }, { "check_id": "mcn_build_script_1", "check_description": "Check if the target repo has a valid build script.", @@ -145,7 +135,12 @@ "Build service - SLSA Level 2" ], "justification": [ - "Check mcn_build_service_1 is set to PASSED because mcn_build_as_code_1 PASSED." + { + "The target repository uses build tool maven to build": "https://github.com/apache/maven/blob/3fc399318edef0d5ba593723a24fff64291d6f9b/.github/workflows/maven.yml", + "The build is triggered by": "https://github.com/apache/maven/blob/3fc399318edef0d5ba593723a24fff64291d6f9b/.github/workflows/maven.yml" + }, + "Build command: ['mvn', 'verify', '-e', '-B', '-V', '-DdistributionFileName=apache-maven']", + "However, could not find a passing workflow run." ], "result_type": "PASSED" }, @@ -162,6 +157,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_build_as_code_1", + "check_description": "The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "The target repository does not use maven to deploy." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_infer_artifact_pipeline_1", "check_description": "Detects potential pipelines from which an artifact is published.", @@ -169,7 +175,7 @@ "Build as code - SLSA Level 3" ], "justification": [ - "Unable to find a publishing timestamp for the artifact." + "Check mcn_infer_artifact_pipeline_1 is set to FAILED because mcn_build_as_code_1 FAILED." ], "result_type": "FAILED" }, @@ -183,7 +189,7 @@ "Provenance content - Identifies builder - SLSA Level 1" ], "justification": [ - "Could not find any SLSA provenances." + "Could not find any SLSA or Witness provenances." ], "result_type": "FAILED" }, @@ -244,31 +250,35 @@ } }, "dependencies": { - "analyzed_deps": 0, - "unique_dep_repos": 0, + "analyzed_deps": 45, + "unique_dep_repos": 36, "checks_summary": [ { - "check_id": "mcn_provenance_expectation_1", - "num_deps_pass": 0 + "check_id": "mcn_version_control_system_1", + "num_deps_pass": 30 + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 1 }, { "check_id": "mcn_provenance_witness_level_one_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", - "num_deps_pass": 0 + "check_id": "mcn_build_as_code_1", + "num_deps_pass": 2 }, { - "check_id": "mcn_infer_artifact_pipeline_1", - "num_deps_pass": 0 + "check_id": "mcn_build_service_1", + "num_deps_pass": 24 }, { - "check_id": "mcn_build_as_code_1", - "num_deps_pass": 0 + "check_id": "mcn_build_script_1", + "num_deps_pass": 30 }, { - "check_id": "mcn_version_control_system_1", + "check_id": "mcn_provenance_level_three_1", "num_deps_pass": 0 }, { @@ -276,18 +286,285 @@ "num_deps_pass": 0 }, { - "check_id": "mcn_build_script_1", + "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_level_three_1", + "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 + } + ], + "dep_status": [ + { + "id": "org.junit.jupiter:junit-jupiter-api", + "description": "Analysis Completed.", + "report": "junit-jupiter-api.html", + "status": "AVAILABLE" }, { - "check_id": "mcn_build_service_1", - "num_deps_pass": 0 + "id": "org.hamcrest:hamcrest-core", + "description": "Analysis Completed.", + "report": "hamcrest-core.html", + "status": "AVAILABLE" + }, + { + "id": "org.eclipse.sisu:org.eclipse.sisu.plexus", + "description": "Analysis Completed.", + "report": "org_eclipse_sisu_plexus.html", + "status": "AVAILABLE" + }, + { + "id": "commons-cli:commons-cli", + "description": "Analysis Completed.", + "report": "commons-cli.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.wagon:wagon-http", + "description": "Analysis Completed.", + "report": "wagon-http.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.wagon:wagon-file", + "description": "Analysis Completed.", + "report": "wagon-file.html", + "status": "AVAILABLE" + }, + { + "id": "org.slf4j:jcl-over-slf4j", + "description": "Analysis Completed.", + "report": "jcl-over-slf4j.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.resolver:maven-resolver-connector-basic", + "description": "Analysis Completed.", + "report": "maven-resolver-connector-basic.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.resolver:maven-resolver-transport-file", + "description": "Analysis Completed.", + "report": "maven-resolver-transport-file.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.resolver:maven-resolver-transport-http", + "description": "Analysis Completed.", + "report": "maven-resolver-transport-http.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.resolver:maven-resolver-transport-wagon", + "description": "Analysis Completed.", + "report": "maven-resolver-transport-wagon.html", + "status": "AVAILABLE" + }, + { + "id": "org.fusesource.jansi:jansi", + "description": "Analysis Completed.", + "report": "jansi.html", + "status": "AVAILABLE" + }, + { + "id": "org.ow2.asm:asm", + "description": "Analysis Completed.", + "report": "asm.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.resolver:maven-resolver-api", + "description": "Analysis Completed.", + "report": "maven-resolver-api.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.resolver:maven-resolver-util", + "description": "Analysis Completed.", + "report": "maven-resolver-util.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.resolver:maven-resolver-impl", + "description": "Analysis Completed.", + "report": "maven-resolver-impl.html", + "status": "AVAILABLE" + }, + { + "id": "javax.inject:javax.inject", + "description": "Analysis Completed.", + "report": "javax_inject.html", + "status": "AVAILABLE" + }, + { + "id": "org.codehaus.plexus:plexus-interpolation", + "description": "Analysis Completed.", + "report": "plexus-interpolation.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.wagon:wagon-provider-api", + "description": "Analysis Completed.", + "report": "wagon-provider-api.html", + "status": "AVAILABLE" + }, + { + "id": "org.codehaus.plexus:plexus-testing", + "description": "Analysis Completed.", + "report": "plexus-testing.html", + "status": "AVAILABLE" + }, + { + "id": "org.mockito:mockito-core", + "description": "Analysis Completed.", + "report": "mockito-core.html", + "status": "AVAILABLE" + }, + { + "id": "org.apache.maven.resolver:maven-resolver-spi", + "description": "Analysis Completed.", + "report": "maven-resolver-spi.html", + "status": "AVAILABLE" + }, + { + "id": "commons-io:commons-io", + "description": "Analysis Completed.", + "report": "commons-io.html", + "status": "AVAILABLE" + }, + { + "id": "org.eclipse.sisu:org.eclipse.sisu.inject", + "description": "Analysis Completed.", + "report": "org_eclipse_sisu_inject.html", + "status": "AVAILABLE" + }, + { + "id": "com.google.inject:guice", + "description": "Analysis Completed.", + "report": "guice.html", + "status": "AVAILABLE" + }, + { + "id": "com.google.guava:guava", + "description": "Analysis Completed.", + "report": "guava.html", + "status": "AVAILABLE" + }, + { + "id": "com.google.guava:failureaccess", + "description": "https://github.com/google/guava is already analyzed.", + "report": "", + "status": "DUPLICATED REPO URL" + }, + { + "id": "org.codehaus.plexus:plexus-classworlds", + "description": "Analysis Completed.", + "report": "plexus-classworlds.html", + "status": "AVAILABLE" + }, + { + "id": "org.slf4j:slf4j-api", + "description": "https://github.com/qos-ch/slf4j is already analyzed.", + "report": "", + "status": "DUPLICATED REPO URL" + }, + { + "id": "org.slf4j:slf4j-simple", + "description": "https://github.com/qos-ch/slf4j is already analyzed.", + "report": "", + "status": "DUPLICATED REPO URL" + }, + { + "id": "commons-jxpath:commons-jxpath", + "description": "Analysis Completed.", + "report": "commons-jxpath.html", + "status": "AVAILABLE" + }, + { + "id": "org.mockito:mockito-inline", + "description": "https://github.com/mockito/mockito is already analyzed.", + "report": "", + "status": "DUPLICATED REPO URL" + }, + { + "id": "org.hamcrest:hamcrest-library", + "description": "https://github.com/hamcrest/JavaHamcrest is already analyzed.", + "report": "", + "status": "DUPLICATED REPO URL" + }, + { + "id": "org.xmlunit:xmlunit-assertj", + "description": "Analysis Completed.", + "report": "xmlunit-assertj.html", + "status": "AVAILABLE" + }, + { + "id": "org.junit.jupiter:junit-jupiter-params", + "description": "https://github.com/junit-team/junit5 is already analyzed.", + "report": "", + "status": "DUPLICATED REPO URL" + }, + { + "id": "javax.annotation:javax.annotation-api", + "description": "Analysis Completed.", + "report": "javax_annotation-api.html", + "status": "AVAILABLE" + }, + { + "id": "org.codehaus.plexus:plexus-sec-dispatcher", + "description": "Analysis Completed.", + "report": "plexus-sec-dispatcher.html", + "status": "AVAILABLE" + }, + { + "id": "org.codehaus.plexus:plexus-cipher", + "description": "Analysis Completed.", + "report": "plexus-cipher.html", + "status": "AVAILABLE" + }, + { + "id": "ch.qos.logback:logback-classic", + "description": "Analysis Completed.", + "report": "logback-classic.html", + "status": "AVAILABLE" + }, + { + "id": "org.xmlunit:xmlunit-core", + "description": "https://github.com/xmlunit/xmlunit is already analyzed.", + "report": "", + "status": "DUPLICATED REPO URL" + }, + { + "id": "org.xmlunit:xmlunit-matchers", + "description": "https://github.com/xmlunit/xmlunit is already analyzed.", + "report": "", + "status": "DUPLICATED REPO URL" + }, + { + "id": "org.codehaus.plexus:plexus-xml", + "description": "Analysis Completed.", + "report": "plexus-xml.html", + "status": "AVAILABLE" + }, + { + "id": "org.openjdk.jmh:jmh-core", + "description": "Analysis Completed.", + "report": "jmh-core.html", + "status": "AVAILABLE" + }, + { + "id": "org.openjdk.jmh:jmh-generator-annprocess", + "description": "https://github.com/openjdk/jmh is already analyzed.", + "report": "", + "status": "DUPLICATED REPO URL" + }, + { + "id": "com.fasterxml.woodstox:woodstox-core", + "description": "Analysis Completed.", + "report": "woodstox-core.html", + "status": "AVAILABLE" } - ], - "dep_status": [] + ] } } diff --git a/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json b/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json index d28951558..672413f43 100644 --- a/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json +++ b/tests/e2e/expected_results/purl/com_google_guava/guava/guava.json @@ -1,6 +1,7 @@ { "metadata": { - "timestamps": "2023-09-12 16:52:10" + "timestamps": "2023-11-03 11:54:05", + "has_passing_check": true }, "target": { "info": { @@ -145,7 +146,7 @@ "Provenance content - Identifies builder - SLSA Level 1" ], "justification": [ - "Could not find any SLSA provenances." + "Could not find any SLSA or Witness provenances." ], "result_type": "FAILED" }, @@ -210,43 +211,43 @@ "unique_dep_repos": 0, "checks_summary": [ { - "check_id": "mcn_provenance_expectation_1", + "check_id": "mcn_version_control_system_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_witness_level_one_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", + "check_id": "mcn_provenance_witness_level_one_1", "num_deps_pass": 0 }, { - "check_id": "mcn_infer_artifact_pipeline_1", + "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_as_code_1", + "check_id": "mcn_build_service_1", "num_deps_pass": 0 }, { - "check_id": "mcn_version_control_system_1", + "check_id": "mcn_build_script_1", "num_deps_pass": 0 }, { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_provenance_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_script_1", + "check_id": "mcn_trusted_builder_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_level_three_1", + "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_service_1", + "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 } ], diff --git a/tests/e2e/expected_results/purl/maven/maven.json b/tests/e2e/expected_results/purl/maven/maven.json index 833cb74bb..092e68c40 100644 --- a/tests/e2e/expected_results/purl/maven/maven.json +++ b/tests/e2e/expected_results/purl/maven/maven.json @@ -1,6 +1,7 @@ { "metadata": { - "timestamps": "2023-09-12 17:10:37" + "timestamps": "2023-11-03 10:55:56", + "has_passing_check": true }, "target": { "info": { @@ -8,8 +9,8 @@ "local_cloned_path": "git_repos/github_com/apache/maven", "remote_path": "https://github.com/apache/maven", "branch": "master", - "commit_hash": "6767f2500f1d005924ccff27f04350c253858a84", - "commit_date": "2022-05-29T13:35:24+02:00" + "commit_hash": "3fc399318edef0d5ba593723a24fff64291d6f9b", + "commit_date": "2023-10-20T21:20:23+02:00" }, "provenances": { "is_inferred": true, @@ -21,16 +22,16 @@ "predicateType": "https://slsa.dev/provenance/v0.2", "predicate": { "builder": { - "id": "" + "id": "https://github.com/apache/maven/blob/3fc399318edef0d5ba593723a24fff64291d6f9b/.github/workflows/maven.yml" }, - "buildType": "", + "buildType": "Custom github_actions", "invocation": { "configSource": { - "uri": "", + "uri": "https://github.com/apache/maven.git@refs/heads/master", "digest": { - "sha1": "" + "sha1": "3fc399318edef0d5ba593723a24fff64291d6f9b" }, - "entryPoint": "" + "entryPoint": "https://github.com/apache/maven/blob/3fc399318edef0d5ba593723a24fff64291d6f9b/.github/workflows/maven.yml" }, "parameters": {}, "environment": {} @@ -40,7 +41,7 @@ "stepID": "" }, "metadata": { - "buildInvocationId": "", + "buildInvocationId": "", "buildStartedOn": "", "buildFinishedOn": "", "completeness": { @@ -66,16 +67,16 @@ "predicateType": "https://slsa.dev/provenance/v0.2", "predicate": { "builder": { - "id": "Jenkinsfile" + "id": "" }, - "buildType": "Custom jenkins", + "buildType": "", "invocation": { "configSource": { - "uri": "https://github.com/apache/maven@refs/heads/master", + "uri": "", "digest": { - "sha1": "6767f2500f1d005924ccff27f04350c253858a84" + "sha1": "" }, - "entryPoint": "Jenkinsfile" + "entryPoint": "" }, "parameters": {}, "environment": {} @@ -110,23 +111,12 @@ "checks": { "summary": { "DISABLED": 0, - "FAILED": 6, - "PASSED": 4, + "FAILED": 7, + "PASSED": 3, "SKIPPED": 0, "UNKNOWN": 0 }, "results": [ - { - "check_id": "mcn_build_as_code_1", - "check_description": "The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.", - "slsa_requirements": [ - "Build as code - SLSA Level 3" - ], - "justification": [ - "The target repository uses build tool maven in jenkins using artifactsPublisher to deploy." - ], - "result_type": "PASSED" - }, { "check_id": "mcn_build_script_1", "check_description": "Check if the target repo has a valid build script.", @@ -145,7 +135,12 @@ "Build service - SLSA Level 2" ], "justification": [ - "Check mcn_build_service_1 is set to PASSED because mcn_build_as_code_1 PASSED." + { + "The target repository uses build tool maven to build": "https://github.com/apache/maven/blob/3fc399318edef0d5ba593723a24fff64291d6f9b/.github/workflows/maven.yml", + "The build is triggered by": "https://github.com/apache/maven/blob/3fc399318edef0d5ba593723a24fff64291d6f9b/.github/workflows/maven.yml" + }, + "Build command: ['mvn', 'verify', '-e', '-B', '-V', '-DdistributionFileName=apache-maven']", + "However, could not find a passing workflow run." ], "result_type": "PASSED" }, @@ -162,6 +157,17 @@ ], "result_type": "PASSED" }, + { + "check_id": "mcn_build_as_code_1", + "check_description": "The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "The target repository does not use maven to deploy." + ], + "result_type": "FAILED" + }, { "check_id": "mcn_infer_artifact_pipeline_1", "check_description": "Detects potential pipelines from which an artifact is published.", @@ -169,7 +175,7 @@ "Build as code - SLSA Level 3" ], "justification": [ - "Unable to find a publishing timestamp for the artifact." + "Check mcn_infer_artifact_pipeline_1 is set to FAILED because mcn_build_as_code_1 FAILED." ], "result_type": "FAILED" }, @@ -183,7 +189,7 @@ "Provenance content - Identifies builder - SLSA Level 1" ], "justification": [ - "Could not find any SLSA provenances." + "Could not find any SLSA or Witness provenances." ], "result_type": "FAILED" }, @@ -248,43 +254,43 @@ "unique_dep_repos": 0, "checks_summary": [ { - "check_id": "mcn_provenance_expectation_1", + "check_id": "mcn_version_control_system_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_witness_level_one_1", + "check_id": "mcn_infer_artifact_pipeline_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_available_1", + "check_id": "mcn_provenance_witness_level_one_1", "num_deps_pass": 0 }, { - "check_id": "mcn_infer_artifact_pipeline_1", + "check_id": "mcn_build_as_code_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_as_code_1", + "check_id": "mcn_build_service_1", "num_deps_pass": 0 }, { - "check_id": "mcn_version_control_system_1", + "check_id": "mcn_build_script_1", "num_deps_pass": 0 }, { - "check_id": "mcn_trusted_builder_level_three_1", + "check_id": "mcn_provenance_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_script_1", + "check_id": "mcn_trusted_builder_level_three_1", "num_deps_pass": 0 }, { - "check_id": "mcn_provenance_level_three_1", + "check_id": "mcn_provenance_available_1", "num_deps_pass": 0 }, { - "check_id": "mcn_build_service_1", + "check_id": "mcn_provenance_expectation_1", "num_deps_pass": 0 } ],