Macaron - Report

Target information

Full name	reactive-streams/reactive-streams
Local cloned path	git_repos/github_com/reactive-streams/reactive-streams
Remote path	https://github.com/reactive-streams/reactive-streams
Branch	master
Commit hash	944163a4b2477a2bebaaada86b0ba910b6302f2f
Commit date	2022-05-26T22:19:43+02:00

Provenance summary

Could not find a provenance for this repository. Below is what Macaron has inferred.

github_actions:
- 0:
  - _type: https://in-toto.io/Statement/v0.1
  - subject:
  - predicateType: https://slsa.dev/provenance/v0.2
  - predicate:
    - builder:
      - id: https://github.com/reactive-streams/reactive-streams/blob/944163a4b2477a2bebaaada86b0ba910b6302f2f/.github/workflows/ci.yml
    - buildType: Custom github_actions
    - invocation:
      - configSource:
        
        uri: https://github.com/reactive-streams/reactive-streams@refs/heads/master
        
        digest:
        
        sha1: 944163a4b2477a2bebaaada86b0ba910b6302f2f
        
        entryPoint: https://github.com/reactive-streams/reactive-streams/blob/944163a4b2477a2bebaaada86b0ba910b6302f2f/.github/workflows/ci.yml
      - parameters:
      - environment:
    - buildConfig:
    - metadata:
      - buildInvocationId:
      - buildStartedOn: <TIMESTAMP>
      - buildFinishedOn: <TIMESTAMP>
      - completeness:
        
        parameters: false
        
        environment: false
        
        materials: false
      - reproducible: false
    - materials:
      - 0:
        
        uri: <URI>
        
        digest:

Reports for Macaron checks

Check id	Check description	Slsa requirements	Justification	Result type
mcn_build_script_1	Check if the target repo has a valid build script.	Scripted Build - SLSA Level 1	Check mcn_build_script_1 is set to PASSED because mcn_build_service_1 PASSED.	PASSED
mcn_build_service_1	Check if the target repo has a valid build service.	Build service - SLSA Level 2	The target repository uses build tool gradle to deploy: https://github.com/reactive-streams/reactive-streams/blob/944163a4b2477a2bebaaada86b0ba910b6302f2f/.github/workflows/ci.yml The build is triggered by: https://github.com/reactive-streams/reactive-streams/blob/944163a4b2477a2bebaaada86b0ba910b6302f2f/.github/workflows/ci.yml Build command: ['./gradlew', 'check'] However, could not find a passing workflow run.	PASSED
mcn_version_control_system_1	Check whether the target repo uses a version control system.	Version controlled - SLSA Level 2	This is a Git repository: https://github.com/reactive-streams/reactive-streams	PASSED
mcn_build_as_code_1	The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.	Build as code - SLSA Level 3	The target repository does not use gradle to deploy.	FAILED
mcn_provenance_available_1	Check whether the target has intoto provenance.	Provenance - Available - SLSA Level 1 Provenance content - Identifies build instructions - SLSA Level 1 Provenance content - Identifies artifacts - SLSA Level 1 Provenance content - Identifies builder - SLSA Level 1	Could not find any SLSA provenances.	FAILED
mcn_provenance_expectation_1	Check whether the SLSA provenance for the produced artifact conforms to the expected value.	Provenance conforms with expectations - SLSA Level 3	Check mcn_provenance_expectation_1 is set to FAILED because mcn_provenance_level_three_1 FAILED.	FAILED
mcn_provenance_level_three_1	Check whether the target has SLSA provenance level 3.	Provenance - Non falsifiable - SLSA Level 3 Provenance content - Includes all build parameters - SLSA Level 3 Provenance content - Identifies entry point - SLSA Level 3 Provenance content - Identifies source code - SLSA Level 2	Check mcn_provenance_level_three_1 is set to FAILED because mcn_provenance_available_1 FAILED.	FAILED
mcn_trusted_builder_level_three_1	Check whether the target uses a trusted SLSA level 3 builder.	Hermetic - SLSA Level 4 Isolated - SLSA Level 3 Parameterless - SLSA Level 4 Ephemeral environment - SLSA Level 3	Could not find a trusted level 3 builder as a GitHub Actions workflow.	FAILED