Add build-attestation target

checkstyle.xml

@@ -185,7 +185,7 @@
     <module name="UpperEll" />
     <module name="ImportOrder">
       <property name="option" value="top"/>
-      <property name="groups" value="java,javax,org"/>
+      <property name="groups" value="java,javax"/>
       <property name="ordered" value="true"/>
       <property name="separated" value="true"/>
     </module>

fb-excludes.xml

@@ -18,6 +18,11 @@
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
 
+  <!-- Mutable objects are not passed to untrusted methods, so we exclude these checks -->
+  <Match>
+    <Bug pattern="EI_EXPOSE_REP,EI_EXPOSE_REP2" />
+  </Match>
+
   <!-- Omit junit tests -->
   <Match>
     <Class name="~.*\.*Test.*"/>

pom.xml

@@ -26,7 +26,8 @@
   </parent>
   <artifactId>commons-release-plugin</artifactId>
   <packaging>maven-plugin</packaging>
-  <version>1.9.3-SNAPSHOT</version>
+  <!-- Temporary version change to publish independent snapshot -->
+  <version>1.9.3.slsa-SNAPSHOT</version>
   <name>Apache Commons Release Plugin</name>
   <description>
     Apache Maven Mojo for Apache Commons Release tasks.
@@ -113,7 +114,22 @@
     <!-- Until Maven plugins used here don't fail the Moditect plugin -->
     <moditect.skip>true</moditect.skip>
     <japicmp.skip>true</japicmp.skip>
+    <!-- Dependency versions -->
+    <commons.jackson.version>2.21.1</commons.jackson.version>
+    <commons.jackson.annotations.version>2.21</commons.jackson.annotations.version>
+    <commons.slf4j.version>2.0.17</commons.slf4j.version>
   </properties>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.slf4j</groupId>
+        <artifactId>slf4j-bom</artifactId>
+        <version>${commons.slf4j.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
   <dependencies>
     <dependency>
       <groupId>org.apache.commons</groupId>
@@ -151,6 +167,18 @@
       <artifactId>maven-scm-api</artifactId>
       <version>${maven-scm.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.maven.scm</groupId>
+      <artifactId>maven-scm-manager-plexus</artifactId>
+      <version>${maven-scm.version}</version>
+      <scope>compile</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.scm</groupId>
+      <artifactId>maven-scm-provider-gitexe</artifactId>
+      <version>${maven-scm.version}</version>
+      <scope>runtime</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven.scm</groupId>
       <artifactId>maven-scm-provider-svnexe</artifactId>
@@ -171,6 +199,22 @@
       <artifactId>commons-compress</artifactId>
       <version>1.28.0</version>
     </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+      <version>${commons.jackson.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-annotations</artifactId>
+      <version>${commons.jackson.annotations.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-jsr310</artifactId>
+      <version>${commons.jackson.version}</version>
+      <scope>runtime</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven.plugin-testing</groupId>
       <artifactId>maven-plugin-testing-harness</artifactId>
@@ -188,11 +232,28 @@
       <artifactId>junit-jupiter</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>net.javacrumbs.json-unit</groupId>
+      <artifactId>json-unit-assertj</artifactId>
+      <version>2.40.1</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.junit.vintage</groupId>
       <artifactId>junit-vintage-engine</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <version>4.11.0</version>
+      <scope>test</scope>
+    </dependency>
     <!--  A bit of jar-hell requires this to come last. -->
     <dependency>
       <groupId>org.apache.maven</groupId>
@@ -223,6 +284,11 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-simple</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <defaultGoal>clean verify apache-rat:check checkstyle:check spotbugs:check javadoc:javadoc site</defaultGoal>

src/main/java/org/apache/commons/release/plugin/internal/ArtifactUtils.java

@@ -0,0 +1,118 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.plugin.MojoExecutionException;
+
+/**
+ * Utilities to convert {@link Artifact} from and to other types.
+ */
+public final class ArtifactUtils {
+
+    /** No instances. */
+    private ArtifactUtils() {
+        // prevent instantiation
+    }
+
+    /**
+     * Returns the conventional filename for the given artifact.
+     *
+     * @param artifact A Maven artifact.
+     * @return A filename.
+     */
+    public static String getFileName(Artifact artifact) {
+        return getFileName(artifact, artifact.getArtifactHandler().getExtension());
+    }
+
+    /**
+     * Returns the filename for the given artifact with a changed extension.
+     *
+     * @param artifact A Maven artifact.
+     * @param extension The file name extension.
+     * @return A filename.
+     */
+    public static String getFileName(Artifact artifact, String extension) {
+        StringBuilder fileName = new StringBuilder();
+        fileName.append(artifact.getArtifactId()).append("-").append(artifact.getVersion());
+        if (artifact.getClassifier() != null) {
+            fileName.append("-").append(artifact.getClassifier());
+        }
+        fileName.append(".").append(extension);
+        return fileName.toString();
+    }
+
+    /**
+     * Returns the Package URL corresponding to this artifact.
+     *
+     * @param artifact A maven artifact.
+     * @return A PURL for the given artifact.
+     */
+    public static String getPackageUrl(Artifact artifact) {
+        StringBuilder sb = new StringBuilder();
+        sb.append("pkg:maven/").append(artifact.getGroupId()).append("/").append(artifact.getArtifactId()).append("@").append(artifact.getVersion())
+                .append("?");
+        String classifier = artifact.getClassifier();
+        if (classifier != null) {
+            sb.append("classifier=").append(classifier).append("&");
+        }
+        sb.append("type=").append(artifact.getType());
+        return sb.toString();
+    }
+
+    /**
+     * Returns a map of checksum algorithm names to hex-encoded digest values for the given artifact file.
+     *
+     * @param artifact A Maven artifact.
+     * @return A map of checksum algorithm names to hex-encoded digest values.
+     * @throws IOException If an I/O error occurs reading the artifact file.
+     */
+    private static Map<String, String> getChecksums(Artifact artifact) throws IOException {
+        Map<String, String> checksums = new HashMap<>();
+        DigestUtils digest = new DigestUtils(DigestUtils.getSha256Digest());
+        String sha256sum = digest.digestAsHex(artifact.getFile());
+        checksums.put("sha256", sha256sum);
+        return checksums;
+    }
+
+    /**
+     * Converts a Maven artifact to a SLSA {@link ResourceDescriptor}.
+     *
+     * @param artifact A Maven artifact.
+     * @return A SLSA resource descriptor.
+     * @throws MojoExecutionException If an I/O error occurs retrieving the artifact.
+     */
+    public static ResourceDescriptor toResourceDescriptor(Artifact artifact) throws MojoExecutionException {
+        ResourceDescriptor descriptor = new ResourceDescriptor();
+        descriptor.setName(getFileName(artifact));
+        descriptor.setUri(getPackageUrl(artifact));
+        if (artifact.getFile() != null) {
+            try {
+                descriptor.setDigest(getChecksums(artifact));
+            } catch (IOException e) {
+                throw new MojoExecutionException("Unable to compute hash for artifact file: " + artifact.getFile(), e);
+            }
+        }
+        return descriptor;
+    }
+}

src/main/java/org/apache/commons/release/plugin/internal/BuildToolDescriptors.java

@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Path;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+
+/**
+ * Factory methods for {@link ResourceDescriptor} instances representing build-tool dependencies.
+ */
+public final class BuildToolDescriptors {
+
+    /** No instances. */
+    private BuildToolDescriptors() {
+        // no instantiation
+    }
+
+    /**
+     * Creates a {@link ResourceDescriptor} for the JDK used during the build.
+     *
+     * @param javaHome path to the JDK home directory (value of the {@code java.home} system property)
+     * @return a descriptor with digest and annotations populated from system properties
+     * @throws IOException if hashing the JDK directory fails
+     */
+    public static ResourceDescriptor jvm(Path javaHome) throws IOException {
+        ResourceDescriptor descriptor = new ResourceDescriptor();
+        descriptor.setName("JDK");
+        Map<String, String> digest = new HashMap<>();
+        digest.put("gitTree", GitUtils.gitTree(javaHome));
+        descriptor.setDigest(digest);
+        String[] propertyNames = {
+            "java.version", "java.version.date",
+            "java.vendor", "java.vendor.url", "java.vendor.version",
+            "java.home",
+            "java.vm.specification.version", "java.vm.specification.vendor", "java.vm.specification.name",
+            "java.vm.version", "java.vm.vendor", "java.vm.name",
+            "java.specification.version", "java.specification.maintenance.version",
+            "java.specification.vendor", "java.specification.name",
+        };
+        Map<String, Object> annotations = new HashMap<>();
+        for (String prop : propertyNames) {
+            annotations.put(prop.substring("java.".length()), System.getProperty(prop));
+        }
+        descriptor.setAnnotations(annotations);
+        return descriptor;
+    }
+
+    /**
+     * Creates a {@link ResourceDescriptor} for the Maven installation used during the build.
+     *
+     * <p>{@code build.properties} resides in a JAR inside {@code ${maven.home}/lib/}, which is loaded by Maven's Core Classloader.
+     * Plugin code runs in an isolated Plugin Classloader, which does see that resources. Therefore, we need to pass the classloader from a class from
+     * Maven Core, such as {@link org.apache.maven.rtinfo.RuntimeInformation}.</p>
+     *
+     * @param version          Maven version string
+     * @param mavenHome        path to the Maven home directory
+     * @param coreClassLoader  a classloader from Maven's Core Classloader realm, used to load core resources
+     * @return a descriptor for the Maven installation
+     * @throws IOException if hashing the Maven home directory fails
+     */
+    public static ResourceDescriptor maven(String version, Path mavenHome, ClassLoader coreClassLoader) throws IOException {
+        ResourceDescriptor descriptor = new ResourceDescriptor();
+        descriptor.setName("Maven");
+        descriptor.setUri("pkg:maven/org.apache.maven/apache-maven@" + version);
+        Map<String, String> digest = new HashMap<>();
+        digest.put("gitTree", GitUtils.gitTree(mavenHome));
+        descriptor.setDigest(digest);
+        Properties buildProps = new Properties();
+        try (InputStream in = coreClassLoader.getResourceAsStream("org/apache/maven/messages/build.properties")) {
+            if (in != null) {
+                buildProps.load(in);
+            }
+        }
+        if (!buildProps.isEmpty()) {
+            Map<String, Object> annotations = new HashMap<>();
+            buildProps.forEach((key, value) -> annotations.put((String) key, value));
+            descriptor.setAnnotations(annotations);
+        }
+        return descriptor;
+    }
+}