Skip to content

fix: accept from-provenance repos as scm authentic #1131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 29, 2025
Merged

fix: accept from-provenance repos as scm authentic #1131

merged 6 commits into from
Jul 29, 2025

Conversation

benmss
Copy link
Member

@benmss benmss commented Jul 22, 2025
edited
Loading

Summary

This PR updates the SCM Authenticity check to allow acceptance of repository URLs found from provenance as being authentic.

Description of changes

The check is changed to rely entirely on the repo verification results produced during analysis. Previously the check would reject any non-Maven PURLs.
The final confidence value for PASSED results is now reported as HIGH if the reason is from_provenance.

The class hierarchy of the repo verifiers has been extended to support repository verification from provenance. The new hierarchy is as follows:

  • RepoVerifierBase, the abstract base class exists to provide the verify_repo function stub.
  • RepoVerifierFromProvenance is an implementation of RepoVerifierBase that provides the from-repo functionality in its verify_repo function
  • RepoVerifierToolSpecific is an abstract class that inherits the functionality of RepoVerifierFromProvenance while providing an abstract property for subclass defined build tools (specific_tool), an abstract function verify_by_tool for tool specific functionality, and a pre-defined verify_repo function that makes use of the RepoVerifierFromProvenance functionality before calling the verify_by_tool function.
  • RepoVerifierMaven, RepoVerifierGradle, and future classes inherit from RepoVerifierToolSpecific and must provide their own specific functionality in the verify_by_tool function, and their build tool in the specific_tool property.

The integration test provenance_available is renamed to pypi_toga_provenance_authentic and re-used for this fix to demonstrate that a PyPI package can pass the SCM authenticity check.

Related issues

Closes #1128

@benmss benmss added this to the Release version 0.17.0 milestone Jul 22, 2025
@benmss benmss self-assigned this Jul 22, 2025
@benmss benmss added the bug Something isn't working label Jul 22, 2025
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 22, 2025
@benmss benmss marked this pull request as ready for review July 22, 2025 06:44
@benmss benmss requested review from behnazh-w and tromai as code owners July 22, 2025 06:44
behnazh-w
behnazh-w reviewed Jul 22, 2025
View reviewed changes
Copy link
Member

@behnazh-w behnazh-w left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please pick an integration test that generates a provenance and make sure the scm authenticity passes?

Also, the description of the check on the index.rst needs to be adjusted.

benmss added 4 commits July 23, 2025 16:07
@benmss
fix: accept from-provenance repos as scm authentic
4a6d636 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: upgrade confidence; remove print; include scm check in provena…
77e809d 
…nce available integration test

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: update docs
6f7acea 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: rename integration test and update description
b144f9c 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss force-pushed the 1128-fix-scm-authenticity branch from b36d0b3 to b144f9c Compare July 23, 2025 06:08
behnazh-w
behnazh-w previously approved these changes Jul 23, 2025
View reviewed changes
@behnazh-w behnazh-w self-requested a review July 23, 2025 07:11
behnazh-w
behnazh-w reviewed Jul 23, 2025
View reviewed changes
@benmss
chore: move from-provenance verification logic to verifier; expand ve…
f6d6a3e 
…rifier hierarchy

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
behnazh-w
behnazh-w previously approved these changes Jul 28, 2025
View reviewed changes
@behnazh-w behnazh-w self-requested a review July 28, 2025 23:22
@benmss
chore: restore None checks in check
4d9c3f6 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss merged commit 014c8d2 into main Jul 29, 2025
13 of 16 checks passed
@benmss benmss deleted the 1128-fix-scm-authenticity branch July 29, 2025 07:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

@tromai tromai Awaiting requested review from tromai

Assignees

@benmss benmss

Labels

bug Something isn't working OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

Release version 0.17.0

Development

Successfully merging this pull request may close these issues.

SCM Authencitiy check should accept repositories found in provenance

2 participants

@benmss @behnazh-w