macaron icon indicating copy to clipboard operation
macaron copied to clipboard
verified publisher icon oracle

Wrong deploy commands reported by the build as code check for pkg:maven/dev.sigstore/[email protected]

Open tromai opened this issue 1 year ago • 0 comments

Reproducing the issue

macaron analyze -purl pkg:maven/dev.sigstore/[email protected]

The Build As Code check passed with the following two deploy commands:

  • ["mvn", "clean", "deploy", "--no-transfer-progress", "$@"]
  • ["mvn", "clean", "deploy", "--no-transfer-progress", "$@"]

Initial investigation

Looking through its source code - https://github.com/sigstore/sigstore-java/tree/v1.0.0 shows that it's a Gradle project.

The 2 deploys commands are extracted from https://github.com/sigstore/sigstore-java/blob/d2603344a9357cb73142cb65caf5f39ddb428395/.github/workflows/examples.yaml (as shown in the database).

At this line it ran a shell script, which contains that mvn command - here.

Macaron reports 2 build tools for this PURL: gradle and maven.

tromai avatar Dec 05 '24 04:12 tromai