mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-09 18:16:35 +00:00

Files

laurentsimon 4b59ce4050 feat: Update doc and code for Maven plugin (#680 )

Signed-off-by: laurentsimon <laurentsimon@google.com>

2023-08-16 01:46:57 +00:00

src/main/java/io/github/slsa-framework

feat: Update doc and code for Maven plugin (#680 )

2023-08-16 01:46:57 +00:00

pom.xml

move maven-plugin from slsa-github-generator (#664 )

2023-07-21 22:40:01 +00:00

README.md

feat: Update doc and code for Maven plugin (#680 )

2023-08-16 01:46:57 +00:00

README.md

Maven verification plugin

The Maven verification plugin can be used to verify the provenance of the dependencies of a Java project.

It is meant to make it easy for project owners and consumers to:

Check how many and which dependencies of a Maven-based project are released with provenance files.
Verify the provenance files of the dependencies of a given Maven-based project.

The plugin wraps the the slsa verifier and invokes it for all the dependencies in a pom.xml.

Prerequisites

To use the plugin you must have Java and Maven installed. It has currently only been tested on Ubuntu.

The plugin requires that the slsa-verifier is already installed on the machine. Follow these steps to install it.

Development status

The plugin is in its early stages and is not ready for production.

Things that work well are:

Resolving dependencies and checking whether they have provenance files in the remote repository.
Running the slsa-verifier against dependencies with provenance files.
Outputting the result from the slsa-verifier.

Things that are unfinished:

What to do with the results from the verifier. Currently we have not taken a stand on what the Maven verification plugin should do with the output from the slsa-verifier. This is a UX decision more than it is a technical decision.

Using the Maven Verification Plugin

Invoking it directly

The Maven Verification Plugin can be run from the root of a given project file. A pseudo-workflow looks like this:

git clone --depth=1 https://github.com/slsa-framework/slsa-verifier
cd slsa-verifier/experimental/maven-plugin
mvn clean install
cd /tmp
git clone _your_repository_
cd _your_repository_
mvn io.github.slsa-framework.slsa-verifier:dependency-plugin:0.0.1:verify

The plugin will now go through all the dependencies in the pom.xml file and check if they have a provenance statement attached to their release. If a dependency has a SLSA provenance file, the Maven verification plugin will fetch it from the remote repository and invoke the slsa-verifier binary against the dependency and the provenance file.

Integrating it into your Maven build cycle

The plugin can also live in your Maven build cycle. If you add it to your own pom.xml, the plugin will execute during the validation phase of the Maven build cycle:

<plugin>
    <groupId>io.github.slsa-framework.slsa-verifier</groupId>
    <artifactId>dependency-plugin</artifactId>
    <version>0.0.1</version>
    <executions>
        <execution>
           <goals>
                <goal>verify</goal>
            </goals>
        </execution>
    </executions>
</plugin>