chore: create a new release

.github/workflows/_build.yaml

@@ -52,7 +52,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         fetch-depth: 0
 
@@ -63,7 +63,7 @@ jobs:
 
     # Install Java.
     - name: Set up JDK
-      uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+      uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0
       with:
         distribution: oracle
         java-version: '17'

.github/workflows/_build_docker.yaml

@@ -27,7 +27,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         fetch-depth: 0
 

.github/workflows/_deploy-github-pages.yaml

@@ -30,7 +30,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         fetch-depth: 0
 

.github/workflows/_generate-rebase.yaml

@@ -36,7 +36,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         fetch-depth: 0
         token: ${{ secrets.REPO_ACCESS_TOKEN }}

.github/workflows/build_base_image.yaml

@@ -19,7 +19,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         fetch-depth: 0
 

.github/workflows/codeql-analysis.yaml

@@ -37,7 +37,7 @@ jobs:
     steps:
 
     - name: Checkout repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
     - name: Set up Python
       uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0

.github/workflows/pr-conventional-commits.yaml

@@ -25,7 +25,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         fetch-depth: 0
 

.github/workflows/release.yaml

@@ -39,7 +39,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         fetch-depth: 0
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
@@ -115,7 +115,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         fetch-depth: 0
 
@@ -305,7 +305,7 @@ jobs:
   #   steps:
 
   #   - name: Check out repository
-  #     uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+  #     uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
   #     with:
   #       fetch-depth: 0
 

.github/workflows/scorecards-analysis.yaml

@@ -29,7 +29,7 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         persist-credentials: false
 

.pre-commit-config.yaml

@@ -199,7 +199,7 @@ repos:
 
 # A linter for Golang
 - repo: https://github.com/golangci/golangci-lint
-  rev: v1.59.1
+  rev: v1.61.0
   hooks:
   - id: golangci-lint
 

CONTRIBUTING.md

@@ -81,7 +81,7 @@ a detailed commit message body is preferred. Make sure to keep the `Signed-off-b
 ### Prerequisites
 
 - Python 3.11
-- Go 1.21
+- Go 1.23
 - JDK 17
 
 ### Prepare the environment

Makefile

@@ -96,7 +96,7 @@ setup-go:
 	go build -o $(PACKAGE_PATH)/bin/cuevalidate.so -buildmode=c-shared $(REPO_PATH)/golang/internal/cue_validator/cue_validator.go
 setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier $(PACKAGE_PATH)/resources/mvnw $(PACKAGE_PATH)/resources/gradlew souffle gnu-sed
 $(PACKAGE_PATH)/bin/slsa-verifier:
-	git clone --depth 1 https://github.com/slsa-framework/slsa-verifier.git -b v2.5.1
+	git clone --depth 1 https://github.com/slsa-framework/slsa-verifier.git -b v2.6.0
 	cd slsa-verifier/cli/slsa-verifier && go build -o $(PACKAGE_PATH)/bin/
 	cd $(REPO_PATH) && rm -rf slsa-verifier
 $(PACKAGE_PATH)/resources/mvnw:
@@ -143,39 +143,48 @@ else
     OS_DISTRO := "$(shell grep '^NAME=' /etc/os-release | sed 's/^NAME=//' | sed 's/"//g')"
   endif
 endif
+# If Souffle cannot be installed, we advise the user to install it manually
+# and return status code 0, which is not considered a failure.
 .PHONY: souffle
 souffle:
 	if ! command -v souffle; then \
-		echo "Installing system dependency: souffle" && \
-	    case $(OS_DISTRO) in \
-	        "Oracle Linux") \
-                sudo dnf -y install https://github.com/souffle-lang/souffle/releases/download/2.4/x86_64-oraclelinux-8-souffle-2.4-Linux.rpm \
-                ;; \
-	        "Fedora Linux") \
-                sudo dnf -y install https://github.com/souffle-lang/souffle/releases/download/2.4/x86_64-fedora-34-souffle-2.4-Linux.rpm \
-                ;; \
-            "Ubuntu") \
-                sudo wget https://souffle-lang.github.io/ppa/souffle-key.public -O /usr/share/keyrings/souffle-archive-keyring.gpg; \
-                echo "deb [signed-by=/usr/share/keyrings/souffle-archive-keyring.gpg] https://souffle-lang.github.io/ppa/ubuntu/ stable main" | sudo tee /etc/apt/sources.list.d/souffle.list; \
-                sudo apt update; \
-                sudo apt install souffle; \
-                ;; \
-            "Darwin") \
-                if command -v brew; then \
-                    brew install --HEAD souffle-lang/souffle/souffle; \
-                else \
-                    echo "Unable to install Souffle. Please install it manually." && exit 0; \
-                fi ;; \
-	esac;                                                                                                                                                  \
+	  echo "Installing system dependency: souffle" && \
+	  case $(OS_DISTRO) in \
+	    "Oracle Linux") \
+	      sudo dnf -y install https://github.com/souffle-lang/souffle/releases/download/2.4/x86_64-oraclelinux-8-souffle-2.4-Linux.rpm;; \
+	    "Fedora Linux") \
+	      sudo dnf -y install https://github.com/souffle-lang/souffle/releases/download/2.4/x86_64-fedora-34-souffle-2.4-Linux.rpm;; \
+	    "Ubuntu") \
+	      sudo wget https://souffle-lang.github.io/ppa/souffle-key.public -O /usr/share/keyrings/souffle-archive-keyring.gpg; \
+	      echo "deb [signed-by=/usr/share/keyrings/souffle-archive-keyring.gpg] https://souffle-lang.github.io/ppa/ubuntu/ stable main" | sudo tee /etc/apt/sources.list.d/souffle.list; \
+	      sudo apt update; \
+	      sudo apt install souffle;; \
+	    "Darwin") \
+	      if command -v brew; then \
+	        brew install --HEAD souffle-lang/souffle/souffle; \
+	      else \
+	        echo "Unable to install Souffle. Please install it manually." && exit 0; \
+	      fi;; \
+	    *) \
+	      echo "Unsupported OS distribution: $(OS_DISTRO)"; exit 0;; \
+	  esac; \
 	fi && \
-    command -v souffle || true
+	command -v souffle
 
 # Install gnu-sed on mac using homebrew
 .PHONY: gnu-sed
 gnu-sed:
 	if [ "$(OS_DISTRO)" == "Darwin" ]; then \
-		brew install gnu-sed; \
-	fi
+	  if ! command -v gsed; then \
+	    if command -v brew; then \
+	      brew install gnu-sed; \
+	    elif command -v port; then \
+	      sudo port install gsed; \
+	    else \
+	      echo "Unable to install GNU sed on macOS. Please install it manually." && exit 1; \
+	    fi; \
+	  fi; \
+	fi;
 
 # Install or upgrade an existing virtual environment based on the
 # package dependencies declared in pyproject.toml.

THIRD_PARTY_LICENSES.txt

@@ -13055,3 +13055,7 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI
 -----------------------------------separator-----------------------------------
 
 ================================================================================
+
+Google deps.dev
+
+As well as aggregating data, deps.dev generates additional data, including resolved dependencies, advisory statistics, associations between entities, etc. This generated data is available under a CC-BY 4.0 license - https://creativecommons.org/licenses/by/4.0/.

docs/source/_static/schemastore/find_source_report_schema.json

@@ -0,0 +1,27 @@
+{
+    "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "$id": "macaron-source-finder-json-report-schema",
+    "title": "Macaron Source Finder JSON Report",
+    "$comment": "For any details about the schema specification and validation documentation, see https://json-schema.org/draft/2020-12/draft-bhutton-json-schema-00 and https://json-schema.org/draft/2020-12/draft-bhutton-json-schema-validation-00.",
+    "type": "object",
+    "properties": {
+        "purl": {
+            "type": "string"
+        },
+        "commit": {
+            "type": "string"
+        },
+        "repo": {
+            "type": "string"
+        },
+        "repo_validated": {
+            "type": "boolean"
+        },
+        "commit_validated": {
+            "type": "boolean"
+        },
+        "url": {
+            "type": "string"
+        }
+    }
+}

docs/source/index.rst

@@ -53,6 +53,9 @@ the requirements that are currently supported by Macaron.
    * - Check ID
      - SLSA requirement
      - Concrete check
+   * - ``mcn_build_tool_1``
+     - **Build tool exists** - The source code repository includes configurations for a supported build tool used to produce the software component.
+     - Detect the build tool used in the source code repository to build the software component.
    * - ``mcn_build_script_1``
      - **Scripted build** - All build steps were fully defined in a “build script”.
      - Identify and validate build script(s).
@@ -74,7 +77,7 @@ the requirements that are currently supported by Macaron.
    * - ``mcn_build_as_code_1``
      - **Build as code** - If a trusted builder is not present, this requirement determines that the build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.
      - Identify and validate the CI service(s) used to build and deploy/publish an artifact.
-   * - ``mcn_infer_artifact_pipeline_1``
+   * - ``mcn_find_artifact_pipeline_1``
      - **Infer artifact publish pipeline** - When a provenance is not available, checks whether a CI workflow run has automatically published the artifact.
      - Identify a workflow run that has triggered the deploy step determined by the ``Build as code`` check.
    * - ``mcn_provenance_level_three_1``
@@ -89,6 +92,9 @@ the requirements that are currently supported by Macaron.
    * - ``mcn_provenance_derived_commit_1``
      - **Provenance derived commit** - Check if the analysis target's commit matches the commit in the provenance.
      - If there is no commit, this check will fail.
+   * - ``mcn_scm_authenticity_check_1``
+     - **Source repo authenticity** - Check whether the claims of a source code repository made by a package can be corroborated.
+     - If the source code repository contains conflicting evidence regarding its claim of the source code repository, this check will fail. If no source code repository or corroborating evidence is found, or if the build system is unsupported, the check will return ``UNKNOWN`` as the result. This check currently supports only Maven artifacts.
 
 ****************************************************************************************
 Macaron checks that report integrity issues but do not map to SLSA requirements directly
@@ -101,7 +107,7 @@ Macaron checks that report integrity issues but do not map to SLSA requirements
    * - Check ID
      - Description
    * - ``mcn_detect_malicious_metadata_1``
-     - This check analyzes the metadata of a package and reports malicious behavior. This check currently supports PyPI packages.
+     - This check performs analysis on PyPI package metadata to detect malicious behavior. It also reports known malware from other ecosystems, but the analysis is currently limited to PyPI packages.
 
 ----------------------
 How does Macaron work?

docs/source/pages/cli_usage/command_analyze.rst

@@ -21,8 +21,9 @@ Usage
 
     usage: ./run_macaron.sh analyze
         [-h] [-sbom SBOM_PATH] [-purl PURL] [-rp REPO_PATH] [-b BRANCH]
-        [-d DIGEST] [-pe PROVENANCE_EXPECTATION] [-c CONFIG_PATH]
-        [--skip-deps] [-g TEMPLATE_PATH]
+        [-d DIGEST] [-pe PROVENANCE_EXPECTATION]
+        [--skip-deps] [--deps-depth DEPS_DEPTH] [-g TEMPLATE_PATH]
+        [--python-venv PYTHON_VENV]
 
 -------
 Options
@@ -62,18 +63,22 @@ Options
 
     The path to the provenance file in in-toto format.
 
-.. option:: -c CONFIG_PATH, --config-path CONFIG_PATH
+.. option:: --skip-deps
 
-    The path to the user configuration.
+    DEPRECATED. Dependency resolution is off by default. This flag does nothing and will be removed in the next release.
 
-.. option:: --skip-deps
+.. option:: --deps-depth DEPS_DEPTH
 
-    Skip automatic dependency analysis.
+    The depth of the dependency resolution. 0: disable, 1: direct dependencies, inf: all transitive dependencies. (Default: 0)
 
 .. option:: -g TEMPLATE_PATH, --template-path TEMPLATE_PATH
 
     The path to the Jinja2 html template (please make sure to use .html or .j2 extensions).
 
+.. option::  --python-venv PYTHON_VENV
+
+    The path to the Python virtual environment of the target software component.
+
 -----------
 Environment
 -----------

docs/source/pages/cli_usage/command_find-source.rst

@@ -0,0 +1,38 @@
+.. Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved.
+.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+.. _find-source-command-cli:
+
+===========
+Find Source
+===========
+
+-----------
+Description
+-----------
+
+Find the source commit, and optionally source repository, of a target artifact.
+
+-----
+Usage
+-----
+
+.. code-block:: shell
+
+    usage: ./run_macaron.sh find-source -purl PURL [-rp REPO_PATH]
+
+-------
+Options
+-------
+
+.. option:: -h, --help
+
+    Show this help message and exit
+
+.. option:: -purl PACKAGE_URL, --package-url PACKAGE_URL
+
+    The PURL string used to uniquely identify the artifact.
+
+.. option:: -rp REPO_PATH, --repo-path REPO_PATH
+
+    The path to the repository.

docs/source/pages/developers_guide/apidoc/macaron.parsers.rst

@@ -40,3 +40,11 @@ macaron.parsers.github\_workflow\_model module
    :members:
    :undoc-members:
    :show-inheritance:
+
+macaron.parsers.pomparser module
+--------------------------------
+
+.. automodule:: macaron.parsers.pomparser
+   :members:
+   :undoc-members:
+   :show-inheritance:

docs/source/pages/developers_guide/apidoc/macaron.repo_finder.rst

@@ -65,6 +65,14 @@ macaron.repo\_finder.repo\_finder\_java module
    :undoc-members:
    :show-inheritance:
 
+macaron.repo\_finder.repo\_utils module
+---------------------------------------
+
+.. automodule:: macaron.repo_finder.repo_utils
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
 macaron.repo\_finder.repo\_validator module
 -------------------------------------------