Check Build Attestation for Maven #179
Description
Currently, Dirty-Waters doesn't provide a check for build attestation for maven projects, as Maven Central does not provide information related to that.
However, we could check for available build attestations for a dependency in the project directly by checking, e.g.:
- if the project provides a Github Attestation
- if there is a signed artifact on sigstore.dev - Signature needs to be verified separately: https://docs.sigstore.dev/about/the-importance-of-verification/ "Verification requires the user of your software to have prior knowledge of the identity of the signer"
- Macaron also implements some check for provenance in Maven projects, which sounds like checking if there is a GithubAction workflow and if that deploys build artifacts to maven central automatically: https://oracle.github.io/macaron/pages/tutorials/detect_malicious_java_dep.html