macaron icon indicating copy to clipboard operation
macaron copied to clipboard
verified publisher icon oracle

Incorrect invocation.configSource.uri value for inferred provenance value.

Open tromai opened this issue 2 years ago • 2 comments

How to replicate

Run this command:

macaron analyze -rp https://github.com/ben-manes/caffeine.git --skip-deps

Because this repository doesn't have a provenance that Macaron can detect, Macaron put an inferred provenance in the final JSON report. The content of the JSON report of this analysis is as follow:

...
                             "invocation": {
                                "configSource": {
                                    "uri": "https://github.com/ben-manes/caffeine@refs/heads/None",
...

Description

The logic for generating the content of invocation.configSource.uri for the inferred provenance is located here:

predicate["invocation"]["configSource"]["uri"] = (
    f"{ctx.component.repository.remote_path}"
    f"@refs/heads/{ctx.component.repository.branch_name}"
)

In scenarios where the branch name is not available, the content of this uri will be incorrect

Suggestion

If the branch name is not available for this software component, we can use f"{ctx.component.repository.remote_path}" only without f"@refs/heads/{ctx.component.repository.branch_name}"

tromai avatar Dec 21 '23 15:12 tromai

How about using the ctx.component.repository.commit_sha field, which is not nullable, to replace the nullable branch_name?

predicate["invocation"]["configSource"]["uri"] = (
    f"{ctx.component.repository.remote_path}"
-    f"@refs/heads/{ctx.component.repository.branch_name}"
+    f"@{ctx.component.repository.commit_sha}"
)

I think this should be better than not referencing any particular revision of the repo.

nathanwn avatar Feb 28 '24 06:02 nathanwn