BuildInfo / provenance materials
Definition
BuildInfo or provenance materials refer to metadata and documentation that describe the process and environment in which a software artifact was created. This includes details such as the source code repository, the specific commit or version used, the build system and tools involved, and any dependencies or configurations applied during the build process. Provenance materials are crucial for ensuring the integrity and traceability of software, enabling organizations to verify that artifacts have not been tampered with and are built from trusted sources.
Secure Settings Example
# Example of a secure provenance configuration in a CI/CD pipeline
provenance:
enabled: true
source:
repository: "https://github.com/example/repo"
commitHash: "abc123def456"
build:
system: "Jenkins"
version: "2.289.1"
dependencies:
- name: "library1"
version: "1.0.0"
- name: "library2"
version: "2.3.4"
artifacts:
- name: "app.jar"
checksum: "sha256:abcdef1234567890"
Insecure Settings Example
# Example of an insecure provenance configuration
provenance:
enabled: false
source:
repository: "https://github.com/example/repo"
commitHash: "latest" # Using 'latest' is insecure as it lacks specificity
build:
system: "Unknown"
version: "Unknown"
dependencies: [] # Missing dependency information
artifacts:
- name: "app.jar"
checksum: "" # Missing checksum for artifact verification