apache · ppkarwasz · Mar 30, 2026 · Mar 30, 2026 · Apr 2, 2026 · Apr 3, 2026
diff --git a/checkstyle.xml b/checkstyle.xml
@@ -185,7 +185,7 @@
     <module name="UpperEll" />
     <module name="ImportOrder">
       <property name="option" value="top"/>
-      <property name="groups" value="java,javax,org"/>
+      <property name="groups" value="java,javax"/>
       <property name="ordered" value="true"/>
       <property name="separated" value="true"/>
     </module>

diff --git a/fb-excludes.xml b/fb-excludes.xml
@@ -18,6 +18,11 @@
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
 
+  <!-- Mutable objects are not passed to untrusted methods, so we exclude these checks -->
+  <Match>
-  <!-- Mutable objects are not passed to untrusted methods, so we exclude these checks -->
-  <Match>
+  <!-- Mutable objects are intentionally exposed only by the SLSA v1_2 model classes -->
+  <Match>
+    <Class name="~.*\.slsa\.v1_2\..*" />
-  <!-- Mutable objects are not passed to untrusted methods, so we exclude these checks -->
-  <Match>
+  <!-- Mutable objects are intentionally exposed only by the SLSA v1_2 model classes -->
+  <Match>
+    <Class name="~.*\.slsa\.v1_2\..*" />
+    <Bug pattern="EI_EXPOSE_REP,EI_EXPOSE_REP2" />
+  </Match>
+
   <!-- Omit junit tests -->
   <Match>
     <Class name="~.*\.*Test.*"/>

diff --git a/pom.xml b/pom.xml
@@ -26,7 +26,8 @@
   </parent>
   <artifactId>commons-release-plugin</artifactId>
   <packaging>maven-plugin</packaging>
-  <version>1.9.3-SNAPSHOT</version>
+  <!-- Temporary version change to publish independent snapshot -->
+  <version>1.9.3.slsa-SNAPSHOT</version>
   <name>Apache Commons Release Plugin</name>
   <description>
     Apache Maven Mojo for Apache Commons Release tasks.
@@ -113,7 +114,29 @@
     <!-- Until Maven plugins used here don't fail the Moditect plugin -->
     <moditect.skip>true</moditect.skip>
     <japicmp.skip>true</japicmp.skip>
+    <!-- Dependency versions -->
+    <commons.jackson.version>2.21.2</commons.jackson.version>
+    <commons.slf4j.version>2.0.17</commons.slf4j.version>
   </properties>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.slf4j</groupId>
+        <artifactId>slf4j-bom</artifactId>
+        <version>${commons.slf4j.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+
+      <dependency>
+        <groupId>com.fasterxml.jackson</groupId>
+        <artifactId>jackson-bom</artifactId>
+        <version>${commons.jackson.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
   <dependencies>
     <dependency>
       <groupId>org.apache.commons</groupId>
@@ -171,6 +194,29 @@
       <artifactId>commons-compress</artifactId>
       <version>1.28.0</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <version>3.20.0</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.plugins</groupId>
+      <artifactId>maven-gpg-plugin</artifactId>
+      <version>3.2.8</version>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-annotations</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-jsr310</artifactId>
+      <scope>runtime</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven.plugin-testing</groupId>
       <artifactId>maven-plugin-testing-harness</artifactId>
@@ -188,11 +234,34 @@
       <artifactId>junit-jupiter</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>net.javacrumbs.json-unit</groupId>
+      <artifactId>json-unit</artifactId>
+      <version>2.40.1</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.junit.vintage</groupId>
       <artifactId>junit-vintage-engine</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <version>4.11.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-exec</artifactId>
+      <version>1.6.0</version>
+      <scope>test</scope>
+    </dependency>
     <!--  A bit of jar-hell requires this to come last. -->
     <dependency>
       <groupId>org.apache.maven</groupId>
@@ -223,6 +292,11 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-simple</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <defaultGoal>clean verify apache-rat:check checkstyle:check spotbugs:check javadoc:javadoc site</defaultGoal>
@@ -240,6 +314,25 @@
         </includes>
       </resource>
     </resources>
+    <testResources>
+      <!-- Filter the attestation fixture and plugin coordinate file so they carry the current plugin version. -->
+      <testResource>
+        <directory>src/test/resources</directory>
+        <filtering>true</filtering>
+        <includes>
+          <include>attestations/**</include>
+          <include>plugin.properties</include>
+        </includes>
+      </testResource>
+      <testResource>
+        <directory>src/test/resources</directory>
+        <filtering>false</filtering>
+        <excludes>
+          <exclude>attestations/**</exclude>
+          <exclude>plugin.properties</exclude>
+        </excludes>
+      </testResource>
+    </testResources>
     <pluginManagement>
       <plugins>
         <plugin>
@@ -532,7 +625,7 @@
       <plugin>
         <groupId>com.github.spotbugs</groupId>
         <artifactId>spotbugs-maven-plugin</artifactId>
-      </plugin>              
+      </plugin>
     </plugins>
   </reporting>
 

diff --git a/src/main/java/org/apache/commons/release/plugin/internal/ArtifactUtils.java b/src/main/java/org/apache/commons/release/plugin/internal/ArtifactUtils.java
@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.plugin.MojoExecutionException;
+
+/**
+ * Utilities to convert {@link Artifact} from and to other types.
+ */
+public final class ArtifactUtils {
+
+    /**
+     * Maps standard JDK {@link java.security.MessageDigest} algorithm names to the in-toto digest names used in SLSA {@link ResourceDescriptor} digest sets.
+     *
+     * <p>JDK algorithms that have no in-toto equivalent (such as {@code MD2}) are omitted.</p>
+     *
+     * @see <a href="https://docs.oracle.com/en/java/javase/25/docs/specs/security/standard-names.html#messagedigest-algorithms">
+     *      JDK standard {@code MessageDigest} algorithm names</a>
+     * @see <a href="https://github.com/in-toto/attestation/blob/main/spec/v1/digest_set.md">
+     *      in-toto digest set specification</a>
+     */
+    private static final Map<String, String> IN_TOTO_DIGEST_NAMES;
+
+    static {
+        final Map<String, String> m = new HashMap<>();
+        m.put("MD5", "md5");
+        m.put("SHA-1", "sha1");
+        m.put("SHA-224", "sha224");
+        m.put("SHA-256", "sha256");
+        m.put("SHA-384", "sha384");
+        m.put("SHA-512", "sha512");
+        m.put("SHA-512/224", "sha512_224");
+        m.put("SHA-512/256", "sha512_256");
+        m.put("SHA3-224", "sha3_224");
+        m.put("SHA3-256", "sha3_256");
+        m.put("SHA3-384", "sha3_384");
+        m.put("SHA3-512", "sha3_512");
+        IN_TOTO_DIGEST_NAMES = Collections.unmodifiableMap(m);
+    }
+
+    /**
+     * Gets a map of checksum algorithm names to hex-encoded digest values for the given artifact file.
+     *
+     * @param artifact A Maven artifact.
+     * @param algorithms JSSE names of algorithms to use
+     * @return A map of checksum algorithm names to hex-encoded digest values.
+     * @throws IOException If an I/O error occurs reading the artifact file.
+     * @throws IllegalArgumentException If any of the algorithms is not supported.
+     */
+    private static Map<String, String> getChecksums(final Artifact artifact, final String... algorithms) throws IOException {
+        final Map<String, String> checksums = new HashMap<>();
+        for (final String algorithm : algorithms) {
+            final String key = IN_TOTO_DIGEST_NAMES.get(algorithm);
+            if (key == null) {
+                throw new IllegalArgumentException("Invalid algorithm name for in-toto attestation: " + algorithm);
+            }
+            final DigestUtils digest = new DigestUtils(DigestUtils.getDigest(algorithm));
+            final String checksum = digest.digestAsHex(artifact.getFile());
+            checksums.put(key, checksum);
+        }
+        return checksums;
+    }
+
+    /**
+     * Gets the filename of an artifact in the default Maven repository layout, using the specified extension.
+     *
+     * @param artifact A Maven artifact.
+     * @param extension The file name extension.
+     * @return A filename.
+     */
+    public static String getFileName(final Artifact artifact, final String extension) {
+        final StringBuilder fileName = new StringBuilder();
+        fileName.append(artifact.getArtifactId()).append("-").append(artifact.getVersion());
+        if (artifact.getClassifier() != null) {
+            fileName.append("-").append(artifact.getClassifier());
+        }
+        fileName.append(".").append(extension);
+        return fileName.toString();
+    }
+
+    /**
+     * Gets the filename of an artifact in the default Maven repository layout.
+     *
+     * @param artifact A Maven artifact.
+     * @return A filename.
+     */
+    public static String getFileName(final Artifact artifact) {
+        return getFileName(artifact, artifact.getArtifactHandler().getExtension());
+    }
+
+    /**
+     * Gets the Package URL corresponding to this artifact.
+     *
+     * @param artifact A maven artifact.
+     * @return A PURL for the given artifact.
+     */
+    public static String getPackageUrl(final Artifact artifact) {
+        final StringBuilder sb = new StringBuilder();
+        sb.append("pkg:maven/").append(artifact.getGroupId()).append("/").append(artifact.getArtifactId()).append("@").append(artifact.getVersion())
+                .append("?");
+        final String classifier = artifact.getClassifier();
+        if (classifier != null) {
+            sb.append("classifier=").append(classifier).append("&");
+        }
+        sb.append("type=").append(artifact.getType());
+        return sb.toString();
+    }
+
+    /**
+     * Converts a Maven artifact to a SLSA {@link ResourceDescriptor}.
+     *
+     * @param artifact A Maven artifact.
+     * @param algorithms A comma-separated list of checksum algorithms to use.
+     * @return A SLSA resource descriptor.
+     * @throws MojoExecutionException If an I/O error occurs retrieving the artifact.
+     */
+    public static ResourceDescriptor toResourceDescriptor(final Artifact artifact, final String algorithms) throws MojoExecutionException {
+        final ResourceDescriptor descriptor = new ResourceDescriptor()
+                .setName(getFileName(artifact))
+                .setUri(getPackageUrl(artifact));
+        if (artifact.getFile() != null) {
+            try {
+                descriptor.setDigest(getChecksums(artifact, StringUtils.split(algorithms, ",")));
+            } catch (final IOException e) {
+                throw new MojoExecutionException("Unable to compute hash for artifact file: " + artifact.getFile(), e);
+            }
+        }
+        return descriptor;
+    }
+
+    /** No instances. */
+    private ArtifactUtils() {
+        // prevent instantiation
+    }
+}