Wrong deploy commands reported by the build as code check for pkg:maven/dev.sigstore/sigstore-maven-plugin@1.0.0

# Reproducing the issue
```
macaron analyze -purl pkg:maven/dev.sigstore/sigstore-maven-plugin@1.0.0
```
The Build As Code check passed with the following two deploy commands:
- `["mvn", "clean", "deploy", "--no-transfer-progress", "$@"]`
- `["mvn", "clean", "deploy", "--no-transfer-progress", "$@"]`

# Initial investigation
Looking through its source code - https://github.com/sigstore/sigstore-java/tree/v1.0.0 shows that it's a Gradle project.

The 2 deploys commands are extracted from https://github.com/sigstore/sigstore-java/blob/d2603344a9357cb73142cb65caf5f39ddb428395/.github/workflows/examples.yaml (as shown in the database).

At this [line](https://github.com/sigstore/sigstore-java/blob/d2603344a9357cb73142cb65caf5f39ddb428395/.github/workflows/examples.yaml#L37) it ran a shell script, which contains that mvn command - [here](https://github.com/sigstore/sigstore-java/blob/d2603344a9357cb73142cb65caf5f39ddb428395/examples/hello-world/test.sh).

Macaron reports 2 build tools for this PURL: gradle and maven.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Wrong deploy commands reported by the build as code check for pkg:maven/dev.sigstore/[email protected] #937

Reproducing the issue

Initial investigation

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Wrong deploy commands reported by the build as code check for pkg:maven/dev.sigstore/[email protected] #937

Description

Reproducing the issue

Initial investigation

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions