oracle
[Bug] - The build command's JDK version is reported incorrectly for pkg:maven/org.apache.hugegraph/[email protected]
Description
The Package URL pkg:maven/org.apache.hugegraph/[email protected] was built using JDK11 in its Github Action pipeline. However, Macaron reports JDK version 8.
Steps to Reproduce
# Assume you have setup the dev environment using make setup
macaron analyze -purl pkg:maven/org.apache.hugegraph/[email protected]
...
2025-05-09 17:27:44,817 [macaron.slsa_analyzer.checks.base_check:run:95] [INFO] ----------------------------------
2025-05-09 17:27:44,817 [macaron.slsa_analyzer.checks.base_check:run:96] [INFO] BEGIN CHECK: mcn_build_script_1
2025-05-09 17:27:44,817 [macaron.slsa_analyzer.checks.base_check:run:97] [INFO] ----------------------------------
2025-05-09 17:27:44,818 [macaron.slsa_analyzer.checks.base_check:run:111] [INFO] Check mcn_build_script_1 run PASSED on target pkg:maven/org.apache.hugegraph/[email protected].
2025-05-09 17:27:44,818 [macaron.slsa_analyzer.checks.base_check:run:117] [DEBUG] Check result: ...
The Check Result (PASSED) for mcn_build_script_1 check (prettified)
[(<Confidence.HIGH: 1.0>,
['build_tool_name: maven',
'ci_service_name: github_actions',
'language: BuildLanguage.JAVA',
'language_distributions: ["zulu"]',
'language_versions: ["8"]',
'build_tool_command: ["mvn", "apache-rat:check", "-ntp"]',
{'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml',
'language_url': 'https://github.com/actions/setup-java'}]),
(<Confidence.HIGH: 1.0>,
['build_tool_name: maven',
'ci_service_name: github_actions',
'language: BuildLanguage.JAVA',
'language_distributions: ["zulu"]',
'language_versions: ["8"]',
'build_tool_command: ["mvn", "clean", "compile", '
'"-Dmaven.javadoc.skip=true", "-ntp"]',
{'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml',
'language_url': 'https://github.com/actions/setup-java'}]),
(<Confidence.HIGH: 1.0>,
['build_tool_name: maven',
'ci_service_name: github_actions',
'language: BuildLanguage.JAVA',
'language_distributions: ["zulu"]',
'language_versions: ["8"]',
'build_tool_command: ["mvn", "test", "-P", "integrate-test", "-ntp"]',
{'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml',
'language_url': 'https://github.com/actions/setup-java'}]),
(<Confidence.HIGH: 1.0>,
['build_tool_name: maven',
'ci_service_name: github_actions',
'language: BuildLanguage.JAVA',
'language_distributions: ["zulu"]',
'language_versions: ["8"]',
'build_tool_command: ["mvn", "test", "-P", "unit-test", "-ntp"]',
{'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml',
'language_url': 'https://github.com/actions/setup-java'}]),
(<Confidence.HIGH: 1.0>,
['build_tool_name: maven',
'ci_service_name: github_actions',
'language: BuildLanguage.JAVA',
'language_distributions: ["adopt"]',
'language_versions: ["11"]',
'build_tool_command: ["mvn", "apache-rat:check", "-ntp"]',
{'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/license-checker.yml',
'language_url': 'https://github.com/actions/setup-java'}])]
The language versions for ["mvn", "test", "-P", "unit-test", "-ntp"] is 8. Having a look at the Github Action workflow file here - https://github.com/apache/incubator-hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml#L78C4-L85C16 shows that it should be JDK11.
I think this is because at this point - https://github.com/oracle/macaron/blob/32aa0ccf0f552df3e90563653415bd38a3feac6a/src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py#L256-L277 we return the very first Setup Language step. However, in this project, they Setup Language step closest to the build command should be the correct one.
