a7d5c7b0f1
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [org.apache.maven:maven-plugin-api](https://maven.apache.org/) | `3.6.3` -> `3.9.5` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzcuMC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Maven verification plugin
The Maven verification plugin can be used to verify the provenance of the dependencies of a Java project.
It is meant to make it easy for project owners and consumers to:
- Check how many and which dependencies of a Maven-based project are released with provenance files.
- Verify the provenance files of the dependencies of a given Maven-based project.
The plugin wraps the the slsa verifier and invokes it for all the dependencies in a pom.xml.
Prerequisites
To use the plugin you must have Java and Maven installed. It has currently only been tested on Ubuntu.
The plugin requires that the slsa-verifier is already installed on the machine. Follow these steps to install it.
Development status
The plugin is in its early stages and is not ready for production.
Things that work well are:
- Resolving dependencies and checking whether they have provenance files in the remote repository.
- Running the slsa-verifier against dependencies with provenance files.
- Outputting the result from the slsa-verifier.
Things that are unfinished:
- What to do with the results from the verifier. Currently we have not taken a stand on what the Maven verification plugin should do with the output from the slsa-verifier. This is a UX decision more than it is a technical decision.
Using the Maven Verification Plugin
Invoking it directly
The Maven Verification Plugin can be run from the root of a given project file. A pseudo-workflow looks like this:
git clone --depth=1 https://github.com/slsa-framework/slsa-verifiercd slsa-verifier/experimental/maven-pluginmvn clean installcd /tmpgit clone _your_repository_cd _your_repository_mvn io.github.slsa-framework.slsa-verifier:dependency-plugin:0.0.1:verify
The plugin will now go through all the dependencies in the pom.xml file and check if they have a provenance statement attached to their release. If a dependency has a SLSA provenance file, the Maven verification plugin will fetch it from the remote repository and invoke the slsa-verifier binary against the dependency and the provenance file.
Integrating it into your Maven build cycle
The plugin can also live in your Maven build cycle. If you add it to your own pom.xml, the plugin will execute during the validation phase of the Maven build cycle:
<plugin>
<groupId>io.github.slsa-framework.slsa-verifier</groupId>
<artifactId>dependency-plugin</artifactId>
<version>0.0.1</version>
<executions>
<execution>
<goals>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>