fix: builder.id resolves to commons-release-plugin version

Author: ppkarwasz

pom.xml

@@ -320,6 +320,25 @@
         </includes>
       </resource>
     </resources>
+    <testResources>
+      <!-- Filter the attestation fixture and plugin coordinate file so they carry the current plugin version. -->
+      <testResource>
+        <directory>src/test/resources</directory>
+        <filtering>true</filtering>
+        <includes>
+          <include>attestations/**</include>
+          <include>plugin.properties</include>
+        </includes>
+      </testResource>
+      <testResource>
+        <directory>src/test/resources</directory>
+        <filtering>false</filtering>
+        <excludes>
+          <exclude>attestations/**</exclude>
+          <exclude>plugin.properties</exclude>
+        </excludes>
+      </testResource>
+    </testResources>
     <pluginManagement>
       <plugins>
         <plugin>

src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java

@@ -52,6 +52,7 @@
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugin.descriptor.PluginDescriptor;
 import org.apache.maven.plugins.annotations.LifecyclePhase;
 import org.apache.maven.plugins.annotations.Mojo;
 import org.apache.maven.plugins.annotations.Parameter;
@@ -165,6 +166,12 @@ public class BuildAttestationMojo extends AbstractMojo {
      */
     @Parameter(property = "commons.release.signAttestation", defaultValue = "true")
     private boolean signAttestation;
+    /**
+     * Descriptor of this plugin; used to fill in {@code builder.id} with the plugin's own
+     * Package URL so that consumers can resolve the exact code that produced the provenance.
+     */
+    @Parameter(defaultValue = "${plugin}", readonly = true)
+    private PluginDescriptor pluginDescriptor;
     /**
      * GPG signer used for signing; lazily initialized from plugin parameters when {@code null}.
      */
@@ -225,8 +232,10 @@ public void execute() throws MojoFailureException, MojoExecutionException {
         final BuildDefinition buildDefinition = new BuildDefinition()
                 .setExternalParameters(BuildDefinitions.externalParameters(session))
                 .setResolvedDependencies(getBuildDependencies());
+        final String builderId = String.format("pkg:maven/%s/%s@%s",
+                pluginDescriptor.getGroupId(), pluginDescriptor.getArtifactId(), pluginDescriptor.getVersion());
         final RunDetails runDetails = new RunDetails()
-                .setBuilder(new Builder())
+                .setBuilder(new Builder().setId(builderId))
                 .setMetadata(getBuildMetadata());
         final Provenance provenance = new Provenance()
                 .setBuildDefinition(buildDefinition)
@@ -451,6 +460,15 @@ void setSignAttestation(final boolean signAttestation) {
         this.signAttestation = signAttestation;
     }
 
+    /**
+     * Sets the plugin descriptor. Intended for testing.
+     *
+     * @param pluginDescriptor the plugin descriptor
+     */
+    void setPluginDescriptor(final PluginDescriptor pluginDescriptor) {
+        this.pluginDescriptor = pluginDescriptor;
+    }
+
     /**
      * Sets the GPG signer used for signing. Intended for testing.
      *

src/main/java/org/apache/commons/release/plugin/slsa/v1_2/Builder.java

@@ -36,7 +36,7 @@ public class Builder {
     private List<ResourceDescriptor> builderDependencies = new ArrayList<>();
     /** Identifier URI of the builder. */
     @JsonProperty("id")
-    private String id = "https://commons.apache.org/builds/0.1.0";
+    private String id;
     /** Map of build platform component names to their versions. */
     @JsonProperty("version")
     private Map<String, String> version = new HashMap<>();

src/site/markdown/slsa/v0.1.0.md

@@ -134,8 +134,11 @@ These are appended after the build tool entries above.
 
 ### Builder
 
-The `builder.id` is always `https://commons.apache.org/builds/0.1.0`.
-It represents the commons-release-plugin acting as the build platform.
+The `builder.id` is the [Package URL](https://github.com/package-url/purl-spec) of the
+`commons-release-plugin` release that produced the attestation, e.g.
+`pkg:maven/org.apache.commons/commons-release-plugin@1.9.3`. It identifies the trust boundary of
+the "build platform": the exact plugin code that emitted the provenance. Verifiers can resolve the
+PURL to the signed artifact on Maven Central to inspect the builder.
 
 ## Subjects
 
@@ -256,7 +259,7 @@ contains that envelope.
     },
     "runDetails": {
       "builder": {
-        "id": "https://commons.apache.org/builds/0.1.0",
+        "id": "pkg:maven/org.apache.commons/commons-release-plugin@1.9.3",
         "builderDependencies": [],
         "version": {}
       },

src/test/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojoTest.java

@@ -55,6 +55,7 @@
 import org.apache.maven.model.Model;
 import org.apache.maven.model.io.xpp3.MavenXpp3Reader;
 import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.descriptor.PluginDescriptor;
 import org.apache.maven.plugins.gpg.AbstractGpgSigner;
 import org.apache.maven.project.MavenProject;
 import org.apache.maven.project.MavenProjectHelper;
@@ -76,6 +77,7 @@ public class BuildAttestationMojoTest {
     private static JsonNode expectedStatement;
     @TempDir
     private static Path localRepositoryPath;
+    private static PluginDescriptor pluginDescriptor;
     private static RepositorySystemSession repoSession;
 
     private static void assertStatementContent(final JsonNode statement) {
@@ -111,6 +113,7 @@ private static void configureBuildAttestationMojo(final BuildAttestationMojo moj
         mojo.setScmConnectionUrl("scm:git:https://github.com/apache/commons-text.git");
         mojo.setMavenHome(new File(System.getProperty("maven.home", ".")));
         mojo.setAlgorithmNames("SHA-512,SHA-256,SHA-1,MD5");
+        mojo.setPluginDescriptor(pluginDescriptor);
         mojo.setSignAttestation(signAttestation);
         mojo.setSigner(createMockSigner());
     }
@@ -209,6 +212,14 @@ static void setup() throws Exception {
         try (InputStream in = BuildAttestationMojoTest.class.getResourceAsStream("/attestations/commons-text-1.4.intoto.json")) {
             expectedStatement = OBJECT_MAPPER.readTree(in);
         }
+        final Properties pluginProps = new Properties();
+        try (InputStream in = BuildAttestationMojoTest.class.getResourceAsStream("/plugin.properties")) {
+            pluginProps.load(in);
+        }
+        pluginDescriptor = new PluginDescriptor();
+        pluginDescriptor.setGroupId(pluginProps.getProperty("plugin.groupId"));
+        pluginDescriptor.setArtifactId(pluginProps.getProperty("plugin.artifactId"));
+        pluginDescriptor.setVersion(pluginProps.getProperty("plugin.version"));
     }
 
     @Test

src/test/resources/attestations/commons-text-1.4.intoto.json

@@ -175,7 +175,7 @@
     },
     "runDetails": {
       "builder": {
-        "id": "https://commons.apache.org/builds/0.1.0",
+        "id": "pkg:maven/${project.groupId}/${project.artifactId}@${project.version}",
         "builderDependencies": [],
         "version": {}
       },

src/test/resources/plugin.properties

@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+plugin.groupId=${project.groupId}
+plugin.artifactId=${project.artifactId}
+plugin.version=${project.version}