chore: fix spelling errors (#612)

Signed-off-by: Josh Soref <jsoref@gmail.com>

.github/workflows/_build.yaml

@@ -91,7 +91,7 @@ jobs:
         GITHUB_TOKEN: ${{ github.token }}
 
     # Generate the requirements.txt that contains the hash digests of the dependencies and
-    # generate the SBOM using CyclonDX SBOM generator.
+    # generate the SBOM using CycloneDX SBOM generator.
     - name: Generate requirements.txt and SBOM
       if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
       run: make requirements sbom

.github/workflows/release.yaml

@@ -97,7 +97,7 @@ jobs:
       contents: read
       packages: read
 
-  # Create a new Release on Github from the verified build artifacts, and optionally
+  # Create a new Release on GitHub from the verified build artifacts, and optionally
   # publish the artifacts to a PyPI server.
   release:
     needs: [build]
@@ -284,7 +284,7 @@ jobs:
   # provenance-docker:
   #   needs: [release]
   #   permissions:
-  #     actions: read # To detect the Github Actions environment.
+  #     actions: read # To detect the GitHub Actions environment.
   #     id-token: write # To create OIDC tokens for signing.
   #     packages: write # To upload provenance.
   #   uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.6.0

CHANGELOG.md

@@ -21,7 +21,7 @@
 
 - resolve podman compatibility issues (#512)
 - do not use git set-branches if the target branch is not currently available in the repository (#491)
-- fix bash syntax error when running `run_macaron.sh` on MacOS (#528)
+- fix bash syntax error when running `run_macaron.sh` on macOS (#528)
 
 ### Refactor
 

Makefile

@@ -156,7 +156,7 @@ souffle:
 # package dependencies declared in pyproject.toml.
 # Go dependencies are only upgraded by Dependabot and managed differently
 # from Python dependencies and by default the upgrade target does not
-# upgrade Go dependencies. To upgrade the Go depenencies use the
+# upgrade Go dependencies. To upgrade the Go dependencies use the
 # `upgrade-go` target directly, which uses the code snippet suggested
 # here instead of `go get -u` to avoid updating indirect dependencies
 # and creating a broken state:

THIRD_PARTY_LICENSES.txt

@@ -5434,7 +5434,7 @@ Copyright 2020 Google LLC.
 Copyright 2020 Google LLC. All Rights Reserved.
 Copyright 2020 Google LLC. All Rights Reserved.\n" +
 Copyright 2020 Gregor Martynus
-Copyright 2020 Intel Coporation.
+Copyright 2020 Intel Corporation.
 Copyright 2020 The Go Authors. All rights reserved.
 Copyright 2020 The Kubernetes Authors.
 Copyright 2020 The gRPC Authors
@@ -10201,7 +10201,7 @@ SPDX:Apache-2.0
 == Copyright
 Copyright 2013 Google Inc. All Rights Reserved.
 Copyright 2019 The Kubernetes Authors.
-Copyright 2020 Intel Coporation.
+Copyright 2020 Intel Corporation.
 Copyright 2020 The Kubernetes Authors.
 Copyright 2021 The Kubernetes Authors.
 Copyright 2022 The Kubernetes Authors.
@@ -10890,7 +10890,7 @@ Copyright 2020 Google LLC.
 Copyright 2020 Google LLC. All Rights Reserved.
 Copyright 2020 Google LLC. All Rights Reserved.\n" +
 Copyright 2020 Gregor Martynus
-Copyright 2020 Intel Coporation.
+Copyright 2020 Intel Corporation.
 Copyright 2020 The Go Authors. All rights reserved.
 Copyright 2020 The Kubernetes Authors.
 Copyright 2020 The gRPC Authors

docker/Dockerfile.base

@@ -56,7 +56,7 @@ enabled=1\
         # Exception: netbase (We couldn't find an equivalent in Oracle Linux).
         tzdata          \
         ca-certificates \
-        # git and finutils are needed for running and building Macaron.
+        # git and findutils are needed for running and building Macaron.
         git             \
         findutils       \
         # Runtime libraries for Souffle. These are based on
@@ -205,7 +205,7 @@ enabled=1\
     && souffle --version \
 # ---------------------------------------------------------------------------------------------------------------------
     # CLEANING UP.
-    # We mark all unecessary packages to be removed while preserving the user installed packages.
+    # We mark all unnecessary packages to be removed while preserving the user installed packages.
     && dnf list installed | tail -n +2 | cut -d' ' -f1 | xargs -r dnf mark remove > /dev/null \
     && [ -z "$USER_MANUAL_INSTALLED" ] || dnf mark install $USER_MANUAL_INSTALLED \
     # Look for share libraries that are used by looking through the executables in /usr/local to preserve them.

docker/Dockerfile.final

@@ -16,7 +16,7 @@ ENV HOME="/home/macaron"
 
 ENV PACKAGE_PATH=$HOME/.venv/lib/python3.11/site-packages/macaron
 
-# Create the macaron user and group with abritary UID and GID.
+# Create the macaron user and group with arbitrary UID and GID.
 # The macaron GID and UID in this image will be modified by the
 # user.sh script on startup to get the UID and GID of the user who started
 # the Docker container.

docs/source/index.rst

@@ -93,7 +93,7 @@ How does Macaron work?
    :alt: Macaron infrastructure
    :align: center
 
-   Macaron's infrastucture
+   Macaron's infrastructure
 
 Macaron is designed based on a Zero Trust model. It analyzes a target repository as an external
 tool and requires minimal configurations. After cloning a repository, Macaron parses the CI

docs/source/pages/output_files.rst

@@ -68,7 +68,7 @@ The report files will be stored into:
 
 .. code-block::
 
-  <path_to_ouput>/reports/github_com/micronaut-projects/micronaut-core
+  <path_to_output>/reports/github_com/micronaut-projects/micronaut-core
 
 .. note:: In the unique path, only ASCII letters, digits and ``-`` are allowed. Prohibited characters are changed into
   ``_``. No changes to the letter case are made.

docs/source/pages/tutorials/commit_finder.rst

@@ -52,7 +52,7 @@ To perform an analysis on Arrow, Macaron can be run with the following command:
 
     ./run_macaron.sh analyze -rp https://github.com/arrow-py/arrow --skip-deps
 
-However, this will return results based only on the current state of the repository, which as described above, is not what we want to achieve in this tutorial. To perform analyses on other repository states, we need to provide Macaron with the target artifact versions in the form of `PURLs <https://github.com/package-url/purl-spec>`_, or Package URLs, which is a convenient way to encodify packages from different ecosystems into the same format.
+However, this will return results based only on the current state of the repository, which as described above, is not what we want to achieve in this tutorial. To perform analyses on other repository states, we need to provide Macaron with the target artifact versions in the form of `PURLs <https://github.com/package-url/purl-spec>`_, or Package URLs, which is a convenient way to encode packages from different ecosystems into the same format.
 
 In our case we are looking at a Python package, so our PURL must reflect that. For versions we will analyze ``1.3.0`` and ``0.15.0``, giving us the following PURLs:
 

docs/source/pages/tutorials/detect_malicious_java_dep.rst

@@ -72,7 +72,7 @@ First, we need to run the ``analyze`` command of Macaron to run a number of :ref
 
 .. note:: By default, Macaron clones the repositories and creates output files under the ``output`` directory. To understand the structure of this directory please see :ref:`Output Files Guide <output_files_guide>`.
 
-By default, this command analyzes the the latest commit of the default branch of the repository. You can also analyze the repository
+By default, this command analyzes the latest commit of the default branch of the repository. You can also analyze the repository
 at a specific commit by providing the branch and commit digest. See the :ref:`CLI options<analyze-command-cli>` of the ``analyze`` command for more information.
 After running the ``analyze`` command, we can view the data that Macaron has gathered about the ``example-maven-app`` repository in an HTML report.
 

docs/source/pages/using.rst

@@ -18,12 +18,12 @@ Analyzing a source code repository
 ----------------------------------
 
 ''''''''''''''''''''''''''''''''''''
-Analyzing a public Github repository
+Analyzing a public GitHub repository
 ''''''''''''''''''''''''''''''''''''
 
-Macaron can analyze a Github public repository (and potentially the repositories of it dependencies) to determine its SLSA posture following the specification of `SLSA v0.1 <https://slsa.dev/spec/v0.1/>`_.
+Macaron can analyze a GitHub public repository (and potentially the repositories of it dependencies) to determine its SLSA posture following the specification of `SLSA v0.1 <https://slsa.dev/spec/v0.1/>`_.
 
-To run Macaron on a Github public repository, we use the following command:
+To run Macaron on a GitHub public repository, we use the following command:
 
 .. code-block:: shell
 
@@ -102,7 +102,7 @@ To simplify the examples, we use the same configurations as above if needed (e.g
 
   pkg:<git_service_hostname>/<organization>/<name>
 
-The list bellow shows examples for the corresponding PURL strings for different git repositories:
+The list below shows examples for the corresponding PURL strings for different git repositories:
 
 .. list-table:: Examples of PURL strings for git repositories.
    :widths: 50 50
@@ -332,7 +332,7 @@ Macaron's policy engine accepts policies specified in `Datalog <https://en.wikip
 can verify if a project and all its dependencies pass certain checks. We use `Soufflé <https://souffle-lang.github.io/index.html>`_
 as the Datalog engine in Macaron. Once you run the checks on a target project as described :ref:`here <analyze-command>`,
 the check results will be stored in ``macaron.db`` in the output directory. We pass the check results to the policy engine by providing the path to ``macaron.db`` together with a Datalog policy file to be validated by the policy engine.
-In the Datalog policy file, we must specify the identifier for the target software component that we are interested in to validate the policy against. These are two ways to specify the target software component in the Datalog policy file:
+In the Datalog policy file, we must specify the identifier for the target software component that interests us to validate the policy against. These are two ways to specify the target software component in the Datalog policy file:
 
 #. Using the complete name of the target component (e.g. ``github.com/oracle-quickstart/oci-micronaut``)
 #. Using the PURL string of the target component (e.g. ``pkg:github.com/oracle-quickstart/oci-micronaut@<commit_sha>``).

scripts/dev_scripts/integration_tests.sh

@@ -467,7 +467,7 @@ HTML_EXPECTED=$WORKSPACE/output/reports/local_repos/maven/maven.html
 
 $RUN_MACARON -lr $WORKSPACE/output/git_repos/local_repos/ analyze -rp test_repo -b master -d 3fc399318edef0d5ba593723a24fff64291d6f9b --skip-deps || log_fail
 
-# We don't compare the report content because the remote_path fields in the reports are undeterministic when running
+# We don't compare the report content because the remote_path fields in the reports are nondeterministic when running
 # this test locally and running it in the GitHub Actions runner. We only check if the reports are generated as
 # expected without the issue described in https://github.com/oracle/macaron/issues/116.
 ls $JSON_EXPECTED || log_fail

scripts/release_scripts/run_macaron.sh

@@ -23,7 +23,7 @@
 set -euo pipefail
 
 # The `extglob` shopt option is required for the `@(...)` pattern matching syntax.
-# This option is not enabled by default for bash on some systems, most notably MacOS
+# This option is not enabled by default for bash on some systems, most notably macOS
 # where the default bash version is very old.
 # Reference: https://www.gnu.org/software/bash/manual/html_node/The-Shopt-Builtin.html
 shopt -s extglob

src/macaron/__main__.py

@@ -109,7 +109,7 @@ def analyze_slsa_levels_single(analyzer_single_args: argparse.Namespace) -> None
         # of the Configuration class, but if `` analyzer_single_args.package_url`` is None, the ``purl`` field is set
         # to None in the Configuration instance.
         # This inconsistency could cause potential issues when Macaron handles those inputs.
-        # TODO: improve the implementation of ``Configuation`` class to avoid such inconsistencies.
+        # TODO: improve the implementation of ``Configuration`` class to avoid such inconsistencies.
         run_config = {
             "target": {
                 "id": purl or repo_path or "",

src/macaron/output_reporter/templates/base_template.html

@@ -256,7 +256,7 @@
         }
 
         /*
-            The reason why we need to create a separate .toggler class is because all .caret class are set binded
+            The reason we need to create a separate .toggler class is that the .caret class is bound
             to the listener for extending/collapsing the provenance fields.
         */
         .caret, .toggler {

src/macaron/policy_engine/examples/aggregate.dl

@@ -12,7 +12,7 @@ apply_policy_to("aggregate_level_3", repo_id) :-
     // if we have provenance, then require using a trusted builder,
     // verifying the provenance attestations, and
     // dependencies must use some kind of scripted build
-    repository_analysis(_, componen_id, repo_id, name),
+    repository_analysis(_, component_id, repo_id, name),
     provenance(_, component_id, _, _, _, _).
 
 // Require everything to have version control

src/macaron/repo_finder/repo_finder.py

@@ -19,7 +19,7 @@
 For Python, .NET, Rust, and NodeJS type PURLs, Google's Open Source Insights API is used to find the meta data.
 
 In either case, any repository links are extracted from the meta data, then checked for validity via
-``repo_validator::find_valid_repository_url`` which accepts URLs that point to a Github repository or similar.
+``repo_validator::find_valid_repository_url`` which accepts URLs that point to a GitHub repository or similar.
 
 Repository PURLs
 ----------------

src/macaron/slsa_analyzer/checks/build_as_code_check.py

@@ -164,7 +164,7 @@ def _check_build_tool(
 
                 trusted_deploy_actions = build_tool.ci_deploy_kws["github_actions"] or []
 
-                # Check for use of a trusted Github Actions workflow to publish/deploy.
+                # Check for use of a trusted GitHub Actions workflow to publish/deploy.
                 # TODO: verify that deployment is legitimate and not a test
                 if trusted_deploy_actions:
                     for callee in ci_info["callgraph"].bfs():

src/macaron/slsa_analyzer/checks/build_service_check.py

@@ -82,7 +82,7 @@ def _has_build_command(self, commands: list[list[str]], build_tool: BaseBuildToo
                 continue
             # The first argument in a bash command is the program name.
             # So first check that the program name is a supported build tool name.
-            # We need to handle cases where the the first argument is a path to the program.
+            # We need to handle cases where the first argument is a path to the program.
             cmd_program_name = os.path.basename(com[0])
             if not cmd_program_name:
                 logger.debug("Found invalid program name %s.", com[0])

src/macaron/slsa_analyzer/checks/provenance_witness_l1_check.py

@@ -82,7 +82,7 @@ def verify_artifact_assets(
 
 
 class ProvenanceWitnessL1Table(CheckFacts, ORMBase):
-    """Result table for provenenance l3 check."""
+    """Result table for provenance l3 check."""
 
     __tablename__ = "_provenance_witness_l1_check"
 

src/macaron/slsa_analyzer/git_service/api_client.py

@@ -148,7 +148,7 @@ class _GhAPIEndPoint(Enum):
 
 
 class GhAPIClient(BaseAPIClient):
-    """This class acts as a client to use Github API.
+    """This class acts as a client to use GitHub API.
 
     See https://docs.github.com/en/rest for the GitHub API documentation.
     """

src/macaron/slsa_analyzer/git_url.py

@@ -117,7 +117,7 @@ def check_out_repo_target(
 ) -> bool:
     """Checkout the branch and commit specified by the user.
 
-    This fucntion assumes that a remote "origin" exist and checkout from that remote ONLY.
+    This function assumes that a remote "origin" exist and checkout from that remote ONLY.
 
     If ``offline_mode`` is False, this function will fetch new changes from origin remote. The fetching operation
     will prune and update all references (e.g. tags, branches) to make sure that the local repository is up-to-date
@@ -132,7 +132,7 @@ def check_out_repo_target(
     If ``branch_name`` is not provided and a commit is provided, this function will checkout the commit directly.
 
     If both ``branch_name`` and a commit are provided, this function will checkout the commit directly only if that
-    commit exists in the branch origin/<branch_name>. If not, this fucntion will return False.
+    commit exists in the branch origin/<branch_name>. If not, this function will return False.
 
     For all scenarios:
     - If the checkout fails (e.g. a branch or a commit doesn't exist), this function will return

src/macaron/slsa_analyzer/package_registry/jfrog_maven_registry.py

@@ -560,7 +560,7 @@ def extract_file_names_from_folder_info_payload(
         Parameters
         ----------
         folder_info_payload : JsonType
-            The JSON payload of a Folder Info reponse.
+            The JSON payload of a Folder Info response.
         extensions : set[str] | None
             The set of allowed extensions.
             Filenames not ending in these extensions are omitted from the result.

src/macaron/slsa_analyzer/provenance/intoto/v1/__init__.py

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
-"""This module handles in-toto version version 1 attestations."""
+"""This module handles in-toto version 1 attestations."""
 
 from typing import TypedDict
 

src/macaron/slsa_analyzer/registry.py

@@ -338,7 +338,7 @@ def scan(self, target: AnalyzeContext, skipped_checks: list[SkippedInfo]) -> dic
         ----------
         target : AnalyzeContext
             The object containing processed data for the target repo.
-        skipped_checks : list[SkippedInfor]
+        skipped_checks : list[SkippedInfo]
             The list of skipped checks information.
 
         Returns

tests/conftest.py

@@ -344,7 +344,7 @@ def circle_ci_service(setup_test):  # type: ignore # pylint: disable=unused-argu
 
 @pytest.fixture()
 def gitlab_ci_service(setup_test):  # type: ignore # pylint: disable=unused-argument
-    """Create a GitlabCI service instance.
+    """Create a GitLabCI service instance.
 
     Parameters
     ----------
@@ -353,8 +353,8 @@ def gitlab_ci_service(setup_test):  # type: ignore # pylint: disable=unused-argu
 
     Returns
     -------
-    GitlabCI
-        The GitlabCI instance.
+    GitLabCI
+        The GitLabCI instance.
     """
     gitlab_ci = GitLabCI()
     gitlab_ci.load_defaults()

tests/dependency_analyzer/cyclonedx/test_cyclonedx.py

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
-"""This module tests the CyclondeDX helper functions."""
+"""This module tests the CycloneDX helper functions."""
 import os
 from pathlib import Path
 

tests/parsers/bashparser/resources/bash_files/valid_github_action_bash.sh

@@ -4,7 +4,7 @@
 # This is a valid GitHub Actions expression.
 echo "hash=${{ steps.compute-hash.outputs.hash }}" >> "$GITHUB_OUTPUT"
 
-# These maynot be valid GitHub Actions expressions but we want to make
+# These may not be valid GitHub Actions expressions but we want to make
 # sure we can handle such cases using greedy regex matching.
 echo "hash=${{ ${{ FOO }} }}"
 echo "hash=${{ ${ FOO } }}"

tests/policy_engine/test_souffle.py

@@ -45,7 +45,7 @@ def test_error() -> None:
     raise ValueError()
 
 
-def test_consecuitve() -> None:
+def test_consecutive() -> None:
     """
     Test running different programs in the same context.
 

tests/slsa_analyzer/checks/resources/github/workflow_files/maven_build_itself.yml

@@ -35,7 +35,7 @@ jobs:
           tar -xzf ${{ env.TAR_BALL }} -C "$temp_dir" --strip 1
           maven_bin_dir=$temp_dir/bin
           if [ -d $maven_bin_dir ]; then
-            echo "tar.gz file \"${{ env.TAR_BALL }}\" succesfully extracted in temporarily directory \"$temp_dir.\""
+            echo "tar.gz file \"${{ env.TAR_BALL }}\" successfully extracted in temporarily directory \"$temp_dir.\""
             echo "TEMP_MAVEN_BIN_DIR=$maven_bin_dir" >> $GITHUB_ENV
           else
             echo "$maven_bin_dir does not exist."