Skip to content

fix: extract digest from provenance when repo path is provided but digest is not provided from the user #711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 21, 2024
Merged

fix: extract digest from provenance when repo path is provided but digest is not provided from the user #711

merged 1 commit into from
Apr 21, 2024

Conversation

tromai
Copy link
Member

@tromai tromai commented Apr 19, 2024

This Pull Request fixes the issue mentioned here - #698 (comment)
This can be seen as a continuation of #708

Description

When the user provide only a repository path from --repo-path to Macaron without providing --digest. The expected behavior is that Macaron will use the repository path from the user provided --repo-path and try to extract the digest extracted from provenance if it's available (provided from user via --provenance-file or obtained from the PURL using provenance finder).

This combination will be handled inside this block

macaron/src/macaron/slsa_analyzer/analyzer.py

Lines 702 to 708 in e214326

case (_, _):
# If both the PURL and the repository are provided, we will use the user-provided repository path to
# create the ``Repository`` instance later on. This ``Repository`` instance is attached to the
# software component initialized from the user-provided PURL.
return Analyzer.AnalysisTarget(
parsed_purl=parsed_purl, repo_path=repo_path_input, branch=input_branch, digest=input_digest
)

However, its logic doesn't extract the commit hash from provenance, which leave Analyzer.AnalysisTarget.digest as empty.

Solution

  • Use the provenance extractor to obtain the digest if the provenance payload is available.
  • Note: the digest provided from the user still takes precedence. Therefore, if the user has already provided a value through --digest, the digest will not be extracted from the provenance.

@tromai tromai requested a review from behnazh-w as a code owner April 19, 2024 05:51
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Apr 19, 2024
@tromai tromai requested review from nicallen and nathanwn April 19, 2024 05:51
@tromai tromai mentioned this pull request Apr 19, 2024
Merged
nathanwn
nathanwn approved these changes Apr 19, 2024
View reviewed changes
Copy link
Member

@nathanwn nathanwn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@tromai tromai merged commit fcda603 into staging Apr 21, 2024
@tromai tromai deleted the tromai/extract-digest-from-prov-when-repo-path-is-provide-but-no-digest-from-user branch April 21, 2024 23:35
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@tromai
fix: extract digest from provenance when repo path is provided but di…
39bca14 
…gest is not provided from the user (#711)

Signed-off-by: Trong Nhan Mai <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicallen nicallen nicallen approved these changes

@nathanwn nathanwn nathanwn approved these changes

@behnazh-w behnazh-w Awaiting requested review from behnazh-w behnazh-w is a code owner

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tromai @nicallen @nathanwn