Wrong deploy commands reported by the build as code check for pkg:maven/dev.sigstore/[email protected] #937
Open
Description
Reproducing the issue
macaron analyze -purl pkg:maven/dev.sigstore/[email protected]
The Build As Code check passed with the following two deploy commands:
["mvn", "clean", "deploy", "--no-transfer-progress", "$@"]
["mvn", "clean", "deploy", "--no-transfer-progress", "$@"]
Initial investigation
Looking through its source code - https://github.com/sigstore/sigstore-java/tree/v1.0.0 shows that it's a Gradle project.
The 2 deploys commands are extracted from https://github.com/sigstore/sigstore-java/blob/d2603344a9357cb73142cb65caf5f39ddb428395/.github/workflows/examples.yaml (as shown in the database).
At this line it ran a shell script, which contains that mvn command - here.
Macaron reports 2 build tools for this PURL: gradle and maven.