Skip to content

Wrong deploy commands reported by the build as code check for pkg:maven/dev.sigstore/[email protected] #937

Open
@tromai

Description

@tromai

Reproducing the issue

macaron analyze -purl pkg:maven/dev.sigstore/[email protected]

The Build As Code check passed with the following two deploy commands:

  • ["mvn", "clean", "deploy", "--no-transfer-progress", "$@"]
  • ["mvn", "clean", "deploy", "--no-transfer-progress", "$@"]

Initial investigation

Looking through its source code - https://github.com/sigstore/sigstore-java/tree/v1.0.0 shows that it's a Gradle project.

The 2 deploys commands are extracted from https://github.com/sigstore/sigstore-java/blob/d2603344a9357cb73142cb65caf5f39ddb428395/.github/workflows/examples.yaml (as shown in the database).

At this line it ran a shell script, which contains that mvn command - here.

Macaron reports 2 build tools for this PURL: gradle and maven.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions