There is an internal problem when computing the ElegibleSince dates for repositories with the provenance control.
When sourcetool generates attestations, the controls check returns that provenance is always available (as the tool itself generates it).
But this it also reports the provenance control as passing when just checking the repository status (just observing, not generating attestations). Which is not true.
In practice, this may lead to a corner case reporting L1 compliance when the repo is L0 (because it's missing provenance). When relying only on sourcetool this is not possible as the tool will always generate both the VSA, this would require another tool creating a VSA and then inspecting the repo with sourcetool which is a possible but unlikely scenario.
Still a bug that needs fixing.
There is an internal problem when computing the ElegibleSince dates for repositories with the provenance control.
When sourcetool generates attestations, the controls check returns that provenance is always available (as the tool itself generates it).
But this it also reports the provenance control as passing when just checking the repository status (just observing, not generating attestations). Which is not true.
In practice, this may lead to a corner case reporting L1 compliance when the repo is L0 (because it's missing provenance). When relying only on sourcetool this is not possible as the tool will always generate both the VSA, this would require another tool creating a VSA and then inspecting the repo with sourcetool which is a possible but unlikely scenario.
Still a bug that needs fixing.