Skip to content

[Bug] - The build command's JDK version is reported incorrectly for pkg:maven/org.apache.hugegraph/[email protected] #1077

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tromai opened this issue May 9, 2025 · 0 comments
Open

[Bug] - The build command's JDK version is reported incorrectly for pkg:maven/org.apache.hugegraph/[email protected] #1077

tromai opened this issue May 9, 2025 · 0 comments
Labels
bug Something isn't working triage The issue needs to be triaged.

Comments

@tromai
Copy link
Member

tromai commented May 9, 2025
edited
Loading

Description

The Package URL pkg:maven/org.apache.hugegraph/[email protected] was built using JDK11 in its Github Action pipeline. However, Macaron reports JDK version 8.

Steps to Reproduce

# Assume you have setup the dev environment using make setup
macaron analyze -purl pkg:maven/org.apache.hugegraph/[email protected]

...

2025-05-09 17:27:44,817 [macaron.slsa_analyzer.checks.base_check:run:95] [INFO] ----------------------------------
2025-05-09 17:27:44,817 [macaron.slsa_analyzer.checks.base_check:run:96] [INFO] BEGIN CHECK: mcn_build_script_1
2025-05-09 17:27:44,817 [macaron.slsa_analyzer.checks.base_check:run:97] [INFO] ----------------------------------
2025-05-09 17:27:44,818 [macaron.slsa_analyzer.checks.base_check:run:111] [INFO] Check mcn_build_script_1 run PASSED on target pkg:maven/org.apache.hugegraph/[email protected].
2025-05-09 17:27:44,818 [macaron.slsa_analyzer.checks.base_check:run:117] [DEBUG] Check result: ...

The Check Result (PASSED) for mcn_build_script_1 check (prettified)

[(<Confidence.HIGH: 1.0>,
  ['build_tool_name: maven',
   'ci_service_name: github_actions',
   'language: BuildLanguage.JAVA',
   'language_distributions: ["zulu"]',
   'language_versions: ["8"]',
   'build_tool_command: ["mvn", "apache-rat:check", "-ntp"]',
   {'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml',
    'language_url': 'https://github.com/actions/setup-java'}]),
 (<Confidence.HIGH: 1.0>,
  ['build_tool_name: maven',
   'ci_service_name: github_actions',
   'language: BuildLanguage.JAVA',
   'language_distributions: ["zulu"]',
   'language_versions: ["8"]',
   'build_tool_command: ["mvn", "clean", "compile", '
   '"-Dmaven.javadoc.skip=true", "-ntp"]',
   {'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml',
    'language_url': 'https://github.com/actions/setup-java'}]),
 (<Confidence.HIGH: 1.0>,
  ['build_tool_name: maven',
   'ci_service_name: github_actions',
   'language: BuildLanguage.JAVA',
   'language_distributions: ["zulu"]',
   'language_versions: ["8"]',
   'build_tool_command: ["mvn", "test", "-P", "integrate-test", "-ntp"]',
   {'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml',
    'language_url': 'https://github.com/actions/setup-java'}]),
 (<Confidence.HIGH: 1.0>,
  ['build_tool_name: maven',
   'ci_service_name: github_actions',
   'language: BuildLanguage.JAVA',
   'language_distributions: ["zulu"]',
   'language_versions: ["8"]',
   'build_tool_command: ["mvn", "test", "-P", "unit-test", "-ntp"]',
   {'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml',
    'language_url': 'https://github.com/actions/setup-java'}]),
 (<Confidence.HIGH: 1.0>,
  ['build_tool_name: maven',
   'ci_service_name: github_actions',
   'language: BuildLanguage.JAVA',
   'language_distributions: ["adopt"]',
   'language_versions: ["11"]',
   'build_tool_command: ["mvn", "apache-rat:check", "-ntp"]',
   {'build_trigger': 'https://github.com/apache/hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/license-checker.yml',
    'language_url': 'https://github.com/actions/setup-java'}])]

The language versions for ["mvn", "test", "-P", "unit-test", "-ntp"] is 8. Having a look at the Github Action workflow file here - https://github.com/apache/incubator-hugegraph-computer/blob/d2b95262091d6572cc12dcda57d89f9cd44ac88b/.github/workflows/ci.yml#L78C4-L85C16 shows that it should be JDK11.

I think this is because at this point -

macaron/src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py

Lines 256 to 277 in 32aa0cc

def find_language_setup_action(job_node: GitHubJobNode, lang_name: BuildLanguage) -> Language | None:
"""Find the step that calls a language setup GitHub Actions and return the model.
Parameters
----------
job_node: GitHubJobNode
The target GitHub Actions job node.
lang_name: BuildLanguage
The target language used in the build.
Returns
-------
Language | None
The language model for the language setup GitHub Action or None.
"""
for callee in job_node.callee:
model = callee.model
# Check if the model implements the Language protocol.
if isinstance(model, Language):
if model.lang_name == lang_name:
return model
return None
we return the very first Setup Language step. However, in this project, they Setup Language step closest to the build command should be the correct one.
@tromai tromai added bug Something isn't working triage The issue needs to be triaged. labels May 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage The issue needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tromai