Add SLSA data models

Adds SLSA data models annotated with Jackson annotation for serialization/deserialization to JSON.

Author: ppkarwasz

fb-excludes.xml

@@ -18,6 +18,12 @@
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
 
+  <!-- SLSA provenance data models are short-lived DTOs serialized to JSON; defensive copying adds no safety. -->
+  <Match>
+    <Package name="org.apache.commons.release.plugin.slsa.v1_2" />
+    <Bug pattern="EI_EXPOSE_REP,EI_EXPOSE_REP2" />
+  </Match>
+
   <!-- Omit junit tests -->
   <Match>
     <Class name="~.*\.*Test.*"/>

pom.xml

@@ -102,7 +102,20 @@
     <!-- Until Maven plugins used here don't fail the Moditect plugin -->
     <moditect.skip>true</moditect.skip>
     <japicmp.skip>true</japicmp.skip>
+    <!-- Dependency versions -->
+    <commons.jackson.version>2.21.2</commons.jackson.version>
   </properties>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>com.fasterxml.jackson</groupId>
+        <artifactId>jackson-bom</artifactId>
+        <version>${commons.jackson.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
   <dependencies>
     <dependency>
       <groupId>org.apache.commons</groupId>
@@ -160,6 +173,10 @@
       <artifactId>commons-compress</artifactId>
       <version>1.28.0</version>
     </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-annotations</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven.plugin-testing</groupId>
       <artifactId>maven-plugin-testing-harness</artifactId>

src/main/java/org/apache/commons/release/plugin/slsa/v1_2/BuildDefinition.java

@@ -0,0 +1,187 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.slsa.v1_2;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Inputs that define the build: the build type, external and internal parameters, and resolved dependencies.
+ *
+ * <p>Specifies everything that influenced the build output. Together with {@link RunDetails}, it forms the complete
+ * {@link Provenance} record.</p>
+ *
+ * @see <a href="https://slsa.dev/spec/v1.2">SLSA v1.2 Specification</a>
+ */
+public class BuildDefinition {
+
+    /**
+     * URI indicating what type of build was performed.
+     */
+    @JsonProperty("buildType")
+    private String buildType = "https://commons.apache.org/proper/commons-release-plugin/slsa/v0.1.0";
+
+    /**
+     * Inputs passed to the build.
+     */
+    @JsonProperty("externalParameters")
+    private Map<String, Object> externalParameters = new HashMap<>();
+
+    /**
+     * Parameters set by the build platform.
+     */
+    @JsonProperty("internalParameters")
+    private Map<String, Object> internalParameters = new HashMap<>();
+
+    /**
+     * Artifacts the build depends on, specified by URI and digest.
+     */
+    @JsonProperty("resolvedDependencies")
+    private List<ResourceDescriptor> resolvedDependencies;
+
+    /**
+     * Creates a new BuildDefinition instance with the default build type.
+     */
+    public BuildDefinition() {
+    }
+
+    /**
+     * Creates a new BuildDefinition with the given build type and external parameters.
+     *
+     * @param buildType          URI indicating what type of build was performed
+     * @param externalParameters inputs passed to the build
+     */
+    public BuildDefinition(String buildType, Map<String, Object> externalParameters) {
+        this.buildType = buildType;
+        this.externalParameters = externalParameters;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        BuildDefinition that = (BuildDefinition) o;
+        return Objects.equals(buildType, that.buildType) && Objects.equals(externalParameters, that.externalParameters) && Objects.equals(internalParameters,
+                that.internalParameters) && Objects.equals(resolvedDependencies, that.resolvedDependencies);
+    }
+
+    /**
+     * Gets the URI indicating what type of build was performed.
+     *
+     * <p>Determines the meaning of {@code externalParameters} and {@code internalParameters}.</p>
+     *
+     * @return the build type URI
+     */
+    public String getBuildType() {
+        return buildType;
+    }
+
+    /**
+     * Gets the inputs passed to the build, such as command-line arguments or environment variables.
+     *
+     * @return the external parameters map, or {@code null} if not set
+     */
+    public Map<String, Object> getExternalParameters() {
+        return externalParameters;
+    }
+
+    /**
+     * Gets the artifacts the build depends on, such as sources, dependencies, build tools, and base images,
+     * specified by URI and digest.
+     *
+     * @return the internal parameters map, or {@code null} if not set
+     */
+    public Map<String, Object> getInternalParameters() {
+        return internalParameters;
+    }
+
+    /**
+     * Gets the materials that influenced the build.
+     *
+     * <p>Considered incomplete unless resolved materials are present.</p>
+     *
+     * @return the list of resolved dependencies, or {@code null} if not set
+     */
+    public List<ResourceDescriptor> getResolvedDependencies() {
+        return resolvedDependencies;
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(buildType, externalParameters, internalParameters, resolvedDependencies);
+    }
+
+    /**
+     * Sets the URI indicating what type of build was performed.
+     *
+     * @param buildType the build type URI
+     * @return this for chaining
+     */
+    public BuildDefinition setBuildType(String buildType) {
+        this.buildType = buildType;
+        return this;
+    }
+
+    /**
+     * Sets the inputs passed to the build.
+     *
+     * @param externalParameters the external parameters map
+     * @return this for chaining
+     */
+    public BuildDefinition setExternalParameters(Map<String, Object> externalParameters) {
+        this.externalParameters = externalParameters;
+        return this;
+    }
+
+    /**
+     * Sets the artifacts the build depends on.
+     *
+     * @param internalParameters the internal parameters map
+     * @return this for chaining
+     */
+    public BuildDefinition setInternalParameters(Map<String, Object> internalParameters) {
+        this.internalParameters = internalParameters;
+        return this;
+    }
+
+    /**
+     * Sets the materials that influenced the build.
+     *
+     * @param resolvedDependencies the list of resolved dependencies
+     * @return this for chaining
+     */
+    public BuildDefinition setResolvedDependencies(List<ResourceDescriptor> resolvedDependencies) {
+        this.resolvedDependencies = resolvedDependencies;
+        return this;
+    }
+
+    @Override
+    public String toString() {
+        return "BuildDefinition{buildType='" + buildType + '\''
+                + ", externalParameters=" + externalParameters
+                + ", internalParameters=" + internalParameters
+                + ", resolvedDependencies=" + resolvedDependencies + '}';
+    }
+}

src/main/java/org/apache/commons/release/plugin/slsa/v1_2/BuildMetadata.java

@@ -0,0 +1,141 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.slsa.v1_2;
+
+import java.time.OffsetDateTime;
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonFormat;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Metadata about a build invocation: its identifier and start and finish timestamps.
+ *
+ * @see <a href="https://slsa.dev/spec/v1.2">SLSA v1.2 Specification</a>
+ */
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class BuildMetadata {
+
+    /** Timestamp when the build completed. */
+    @JsonFormat(shape = JsonFormat.Shape.STRING, pattern = "yyyy-MM-dd'T'HH:mm:ss'Z'")
+    @JsonProperty("finishedOn")
+    private OffsetDateTime finishedOn;
+    /** Identifier for this build invocation. */
+    @JsonProperty("invocationId")
+    private String invocationId;
+    /** Timestamp when the build started. */
+    @JsonFormat(shape = JsonFormat.Shape.STRING, pattern = "yyyy-MM-dd'T'HH:mm:ss'Z'")
+    @JsonProperty("startedOn")
+    private OffsetDateTime startedOn;
+
+    /** Creates a new BuildMetadata instance. */
+    public BuildMetadata() {
+    }
+
+    /**
+     * Creates a new BuildMetadata instance with all fields set.
+     *
+     * @param invocationId identifier for this build invocation
+     * @param startedOn    timestamp when the build started
+     * @param finishedOn   timestamp when the build completed
+     */
+    public BuildMetadata(String invocationId, OffsetDateTime startedOn, OffsetDateTime finishedOn) {
+        this.invocationId = invocationId;
+        this.startedOn = startedOn;
+        this.finishedOn = finishedOn;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (!(o instanceof BuildMetadata)) {
+            return false;
+        }
+        BuildMetadata that = (BuildMetadata) o;
+        return Objects.equals(invocationId, that.invocationId) && Objects.equals(startedOn, that.startedOn) && Objects.equals(finishedOn, that.finishedOn);
+    }
+
+    /**
+     * Gets the timestamp of when the build completed, serialized as RFC 3339 in UTC ({@code "Z"} suffix).
+     *
+     * @return the completion timestamp, or {@code null} if not set
+     */
+    public OffsetDateTime getFinishedOn() {
+        return finishedOn;
+    }
+
+    /**
+     * Gets the identifier for this build invocation.
+     *
+     * @return the invocation identifier, or {@code null} if not set
+     */
+    public String getInvocationId() {
+        return invocationId;
+    }
+
+    /**
+     * Gets the timestamp of when the build started, serialized as RFC 3339 in UTC ({@code "Z"} suffix).
+     *
+     * @return the start timestamp, or {@code null} if not set
+     */
+    public OffsetDateTime getStartedOn() {
+        return startedOn;
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(invocationId, startedOn, finishedOn);
+    }
+
+    /**
+     * Sets the timestamp of when the build completed.
+     *
+     * @param finishedOn the completion timestamp
+     * @return this for chaining
+     */
+    public BuildMetadata setFinishedOn(OffsetDateTime finishedOn) {
+        this.finishedOn = finishedOn;
+        return this;
+    }
+
+    /**
+     * Sets the identifier for this build invocation.
+     *
+     * @param invocationId the invocation identifier
+     * @return this for chaining
+     */
+    public BuildMetadata setInvocationId(String invocationId) {
+        this.invocationId = invocationId;
+        return this;
+    }
+
+    /**
+     * Sets the timestamp of when the build started.
+     *
+     * @param startedOn the start timestamp
+     * @return this for chaining
+     */
+    public BuildMetadata setStartedOn(OffsetDateTime startedOn) {
+        this.startedOn = startedOn;
+        return this;
+    }
+
+    @Override
+    public String toString() {
+        return "BuildMetadata{invocationId='" + invocationId + "', startedOn=" + startedOn + ", finishedOn=" + finishedOn + '}';
+    }
+}