Conversation
This PR was moved from apache/commons-build-plugin#417 It adds a goal to generate a [SLSA](https://slsa.dev/) build attestation and attaches it to the build as a file with the `.intoto.json` extension. The attestation records the following information about the build environment: - The Java version used (vendor, version string) - The Maven version used - The `gitTree` hash of the unpacked Java distribution - The `gitTree` hash of the unpacked Maven distribution
|
You can find the documentation of what elements are contained in the attestations in this file (included in the PR): https://github.com/apache/commons-release-plugin/blob/feat/slsa/src/site/markdown/slsa/v0.1.0.md I have some doubts regarding, which dependencies of the project build should be included in the attestation:
|
|
What about the JDK or OS? |
|
Information about the JDK is already present. I don't know if we need information about the OS: that information is usually partially included in the JDK version strings. |
garydgregory
left a comment
garydgregory
left a comment
There was a problem hiding this comment.
There is no need for an additional level of "internal" package naming IMO since the whole component is "internal" to our release process.
Artifacts are signed using the Maven GPG Plugin and the results are wrapped in the DSSE envelope.
|
In 16f776f I added support for DSSE envelope signing, which leverages the functionality of the GPG Maven plugin to sign the attestation with GPG and wrap both the payload and signature in a single file. A lot of it is vibe-coded, mostly reviewed, but it needs a thorough review, especially on the documentation side. If this helps, I could split this PR into three parts:
What do you think? |
|
I don't want to review vibe coded output until you review it line-by-line and prune/validate any junk out of it. When you say it's been proofed, I'll take a look. |
|
I have reviewed the generated parts, fixed Javadoc comments and added additional tests. The code is the first thing I look at and verify line by line. I must admit I don't look too much at Javadoc, especially since this project requires every method (even |
|
If you don't review something, delete it then. Otherwise, you are effectively asking someone else to do it for you 😉 |
|
That is what I did with overly complex Javadoc comments. |
|
As I mentioned before, this PR might be hard to check in one piece. What do you think about splitting it into pieces and discussing each piece separately? |
|
Let me take a look in the morning... |
| <module name="ImportOrder"> | ||
| <property name="option" value="top"/> | ||
| <property name="groups" value="java,javax,org"/> | ||
| <property name="groups" value="java,javax"/> |
There was a problem hiding this comment.
This change should not be required.
There was a problem hiding this comment.
IIRC this is inconsistent with other Commons projects, where com.* and org.* imports are in the same group. Is there any reason to group them separately?
There was a problem hiding this comment.
Pull request overview
Adds a new build-attestation Maven plugin goal to generate SLSA v1.2 build provenance (optionally DSSE+OpenPGP-signed) and attach it as an additional build artifact, along with supporting internal utilities, model classes, tests, and documentation.
Changes:
- Introduces
build-attestationmojo that emits a SLSA provenance statement (or DSSE envelope) and attaches it as anintoto.jsonlartifact. - Adds SLSA v1.2 Jackson model classes plus supporting utilities for Git/JDK/Maven provenance and DSSE signing.
- Adds tests, fixtures, and site documentation describing the new build type and attestation format.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
pom.xml |
Adds dependencies/BOMs and configures filtered test resources; also changes project version. |
checkstyle.xml |
Adjusts import grouping to accommodate new third-party imports. |
fb-excludes.xml |
Adds SpotBugs suppression for representation-exposure findings. |
src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java |
New mojo that builds and writes/attaches the attestation (optionally signed). |
src/main/java/org/apache/commons/release/plugin/internal/ArtifactUtils.java |
Utilities to build PURLs, filenames, and digest sets for artifacts. |
src/main/java/org/apache/commons/release/plugin/internal/BuildDefinitions.java |
Collects external parameters and creates JDK/Maven resource descriptors. |
src/main/java/org/apache/commons/release/plugin/internal/DsseUtils.java |
DSSE PAE generation and GPG signing helpers. |
src/main/java/org/apache/commons/release/plugin/internal/GitUtils.java |
Git helpers for branch detection, SCM URI conversion, and gitTree hashing. |
src/main/java/org/apache/commons/release/plugin/internal/package-info.java |
Package-level docs for internal utilities. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/package-info.java |
Package-level docs for SLSA v1.2 model classes. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/BuildDefinition.java |
SLSA build definition model. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/BuildMetadata.java |
SLSA build metadata model. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/Builder.java |
SLSA builder model. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/DsseEnvelope.java |
DSSE envelope model. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/Provenance.java |
SLSA provenance predicate root model. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/ResourceDescriptor.java |
Resource descriptor model used for subjects/materials. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/RunDetails.java |
SLSA run details model. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/Signature.java |
DSSE signature model. |
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/Statement.java |
in-toto Statement model wrapping the provenance. |
src/site/markdown/slsa/v0.1.0.md |
Documents the build type and attestation format/fields. |
src/test/java/org/apache/commons/release/plugin/internal/BuildDefinitionsTest.java |
Unit tests for command-line reconstruction. |
src/test/java/org/apache/commons/release/plugin/internal/MojoUtils.java |
Test utilities for setting up Plexus container/repo session. |
src/test/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojoTest.java |
Integration-style tests for unsigned/signed attestation outputs. |
src/test/resources/plugin.properties |
Filtered plugin coordinates used by tests. |
src/test/resources/attestations/commons-text-1.4.intoto.json |
Filtered attestation fixture used as expected statement content. |
src/test/resources/artifacts/artifact-jar.txt |
Mock artifact fixture. |
src/test/resources/artifacts/artifact-pom.txt |
Mock artifact fixture. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <!-- Temporary version change to publish independent snapshot --> | ||
| <version>1.9.3.slsa-SNAPSHOT</version> |
There was a problem hiding this comment.
The project version is changed to 1.9.3.slsa-SNAPSHOT with a note that it is temporary. If this PR is intended to land on the main development line, this will change the published coordinates and may break downstream consumers/CI expecting 1.9.3-SNAPSHOT. Consider reverting the version change (or moving it to a separate, non-merged branch/workflow).
| <!-- Mutable objects are not passed to untrusted methods, so we exclude these checks --> | ||
| <Match> |
There was a problem hiding this comment.
This SpotBugs filter disables EI_EXPOSE_REP/EI_EXPOSE_REP2 globally for the entire project. That hides real findings outside the new SLSA model classes. Please scope the suppression to the specific package/classes that intentionally expose mutable state (e.g., the slsa.v1_2 models) rather than suppressing the patterns unconditionally.
| <!-- Mutable objects are not passed to untrusted methods, so we exclude these checks --> | |
| <Match> | |
| <!-- Mutable objects are intentionally exposed only by the SLSA v1_2 model classes --> | |
| <Match> | |
| <Class name="~.*\.slsa\.v1_2\..*" /> |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
Hi @garydgregory, I corrected some minor defects, mostly in documentation, but with two relevant changes:
Since this PR is huge, what do you think about pushing the SLSA models to |
This PR was moved from apache/commons-build-plugin#417
It adds a goal to generate a SLSA build attestation and attaches it to the build as a file with the
intoto.jsonextension.The attestation records the following information about the build environment:
gitTreehash of the unpacked Java distributiongitTreehash of the unpacked Maven distribution