macaron icon indicating copy to clipboard operation
macaron copied to clipboard
verified publisher icon oracle

feat: verify whether the reported repository can be linked back to the artifact

Open mabdollahpour-ol opened this issue 1 year ago • 6 comments

This version has initial support for maven and gradle build tools.

The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data". Also added a sample check (for maven) that shows how this data can be used.

mabdollahpour-ol avatar Sep 29 '24 00:09 mabdollahpour-ol

The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data". I added a sample check (for maven) that shows how this data can be used.

Can you please add this information to the PR description?

behnazh-w avatar Sep 30 '24 01:09 behnazh-w

@behnazh-w thanks for the comments! I'll apply the changes by EOD.

mabdollahpour-ol avatar Sep 30 '24 20:09 mabdollahpour-ol

Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w

benmss avatar Oct 01 '24 04:10 benmss

Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w

Yes for sure. The PR needs unit tests and integration tests.

behnazh-w avatar Oct 01 '24 05:10 behnazh-w

Is there a plan to add unit testing and integration testing as part of this PR? @behnazh-w

Yes for sure. The PR needs unit tests and integration tests.

Yes tests are on the way.

mabdollahpour-ol avatar Oct 01 '24 20:10 mabdollahpour-ol

The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data". I added a sample check (for maven) that shows how this data can be used.

Can you please add this information to the PR description?

Looks like you forgot to change the PR description. Could you please fix that?

behnazh-w avatar Oct 29 '24 05:10 behnazh-w

Please add the new check to the check table in the documentation at docs/source/index.rst.

behnazh-w avatar Oct 29 '24 05:10 behnazh-w

Please run make docs-full to generate the RST templates for the new modules on the documentation website.

behnazh-w avatar Oct 29 '24 06:10 behnazh-w

The core part is added as "repo_verifier" under "repo_finder". "analyzer" calls the "repo_verifier" and adds the info to "dynamic_data". I added a sample check (for maven) that shows how this data can be used.

Can you please add this information to the PR description?

Looks like you forgot to change the PR description. Could you please fix that?

I moved repo_verifier to its own directory. I changed the PR description (the first comment in this page if that's what you mean) to reflect the change. I didn't add this info the body of the squashed commit but I will in the next merge. Does that sound good?

mabdollahpour-ol avatar Oct 30 '24 01:10 mabdollahpour-ol

Please add the new check to the check table in the documentation at docs/source/index.rst.

The SLSA requirement is "Source - Version controlled", right?

mabdollahpour-ol avatar Oct 30 '24 02:10 mabdollahpour-ol

Please add the new check to the check table in the documentation at docs/source/index.rst.

The SLSA requirement is "Source - Version controlled", right?

I've added my suggestion to the PR. This check is related to Source - Version controlled, but it also includes a validation aspect. Generally, while the SLSA requirement column may not use the exact terminology from slsa.dev, there is a relationship.

behnazh-w avatar Oct 30 '24 09:10 behnazh-w