Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature improved java cataloging #2769

Merged
merged 57 commits into from
Aug 5, 2024
Merged
Changes from 1 commit
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
f26d089
WIP: gather all properties in hierarchy
GijsCalis Feb 26, 2024
87df551
Merge remote-tracking branch 'gcalis/main' into recurse-parent-poms-a…
GijsCalis Feb 27, 2024
e96dbb1
WIP: recurse into parents and boms
GijsCalis Feb 28, 2024
acdf111
WIP: Getting there, rework of recursion needed
GijsCalis Feb 29, 2024
a0dd2ef
Added resolving properties by name (reference value)
GijsCalis Mar 4, 2024
eb3f72d
Property resolution working
GijsCalis Mar 4, 2024
2602b81
Get pom from local repo, recursively gather properties
GijsCalis Mar 17, 2024
3668766
Use local Maven repository for resolving artifacts
GijsCalis Apr 4, 2024
e586b31
fix logging of error
GijsCalis Apr 4, 2024
62684c7
fix load default java cataloger config on start
GijsCalis Apr 4, 2024
902520b
fix logging of license parsing errors
GijsCalis Apr 4, 2024
78f0c24
cleanup logging: start with lowercase
GijsCalis Apr 4, 2024
7d4c5a4
Make local Maven repository dir configurable
GijsCalis Apr 7, 2024
a77af37
Add unit tests for using remote Maven repo and local Maven repo
GijsCalis Apr 7, 2024
7f1c79d
Fix unit tests by resetting caches before test
GijsCalis Apr 8, 2024
c727765
Recurse into parent poms with cycle detection
GijsCalis Apr 9, 2024
26587c8
fix bug: missed changed function signature
GijsCalis Apr 9, 2024
bf8ebfd
Remove unneeded logging
GijsCalis Apr 9, 2024
ceedb47
Merge branch 'main' into feature-improved-java-cataloging
GijsCalis Apr 9, 2024
eb80105
remove unused/duplicate modules
GijsCalis Apr 10, 2024
ec208f9
Retry resolving version property after processing all parent poms
GijsCalis Apr 10, 2024
d3efe1f
Update instructions for java configuration
GijsCalis Apr 11, 2024
1df8583
remove accidentally created SBOM files
GijsCalis Apr 11, 2024
f01788c
Code clean: style fixes
GijsCalis Apr 12, 2024
ac2e1ea
Merge remote-tracking branch 'origin/main' into feature-improved-java…
GijsCalis Apr 12, 2024
ff1c843
Merge remote-tracking branch 'origin/main' into feature-improved-java…
GijsCalis Apr 16, 2024
ebda837
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Jun 27, 2024
f941def
chore: initial refactor to use mavenResolver
kzantow Jul 17, 2024
2ad3c5d
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Jul 17, 2024
2922853
chore: refactor maven_repo_utils
kzantow Jul 17, 2024
9b7f3dc
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Jul 17, 2024
8bcd53c
chore: cache maven pom files directly
kzantow Jul 17, 2024
9864efe
chore: refactor parsedPomProject
kzantow Jul 18, 2024
14536a0
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Jul 18, 2024
b51c5eb
chore: fix env var names
kzantow Jul 18, 2024
a3485b3
chore: update some comments
kzantow Jul 18, 2024
f11cb49
chore: maven_resolver refactoring
kzantow Jul 18, 2024
1960f70
chore: trim test files
kzantow Jul 18, 2024
3486497
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Jul 18, 2024
4a7b5b6
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Jul 22, 2024
bbcf965
feat: add maven relativePath parent resolution
kzantow Jul 23, 2024
6472bdf
chore: lint-fix
kzantow Jul 23, 2024
a1fb9d7
chore: refactor pom cataloger to scan and index all poms in the resolver
kzantow Jul 23, 2024
7b2fb7a
chore: improve property resolution for boms
kzantow Jul 23, 2024
0f41319
chore: properly resolve maven ID info
kzantow Jul 24, 2024
9a047e4
fix: improve determinism in java archive identification
kzantow Jul 25, 2024
d06334b
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Jul 25, 2024
103a608
Merge remote-tracking branch 'origin/fix/deterministic-java-pom-prope…
kzantow Jul 25, 2024
e8b14f7
chore: use structured logging
kzantow Jul 25, 2024
80253f7
chore: use structured logging
kzantow Jul 25, 2024
984f21c
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Jul 29, 2024
697b4e1
chore: don't trim existing pom
kzantow Jul 29, 2024
084e1f7
chore: reorganize test utils
kzantow Jul 29, 2024
7ff89e5
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Jul 30, 2024
7837e26
fix: properly respect max parent depth, default to unlimited
kzantow Jul 31, 2024
e11085c
Merge remote-tracking branch 'upstream/main' into feature-improved-ja…
kzantow Aug 4, 2024
a2a695f
chore: pr feedback
kzantow Aug 4, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: properly respect max parent depth, default to unlimited
Signed-off-by: Keith Zantow <kzantow@gmail.com>
kzantow committed Jul 31, 2024

Verified

This commit was signed with the committer’s verified signature.
kzantow Keith Zantow
commit 7837e2647428e7a4401f5dfa7c404f743c198231
2 changes: 1 addition & 1 deletion cmd/syft/internal/options/java.go
Original file line number Diff line number Diff line change
@@ -34,7 +34,7 @@ func (o *javaConfig) DescribeFields(descriptions clio.FieldDescriptionSet) {
a parent or imported pom file is not found in the local maven repository.
the pom files are downloaded from the remote Maven repository at 'maven-url'`)
descriptions.Add(&o.MavenURL, `maven repository to use, defaults to Maven central`)
descriptions.Add(&o.MaxParentRecursiveDepth, `depth to recursively resolve parent POMs`)
descriptions.Add(&o.MaxParentRecursiveDepth, `depth to recursively resolve parent POMs, no limit if <= 0`)
descriptions.Add(&o.UseMavenLocalRepository, `use the local Maven repository to retrieve pom files. When Maven is installed and was previously used
for building the software that is being scanned, then most pom files will be available in this
repository on the local file system. this greatly speeds up scans. when all pom files are available
1 change: 0 additions & 1 deletion syft/pkg/cataloger/java/archive_parser_test.go
Original file line number Diff line number Diff line change
@@ -45,7 +45,6 @@ func TestSearchMavenForLicenses(t *testing.T) {
UseNetwork: true,
UseMavenLocalRepository: false,
MavenBaseURL: url,
MaxParentRecursiveDepth: 5,
},
expectedLicenses: []pkg.License{
{
6 changes: 2 additions & 4 deletions syft/pkg/cataloger/java/config.go
Original file line number Diff line number Diff line change
@@ -20,7 +20,7 @@ func DefaultArchiveCatalogerConfig() ArchiveCatalogerConfig {
UseMavenLocalRepository: false,
MavenLocalRepositoryDir: defaultMavenLocalRepoDir(),
MavenBaseURL: mavenBaseURL,
MaxParentRecursiveDepth: 10,
MaxParentRecursiveDepth: 0, // unlimited
}
}

@@ -47,9 +47,7 @@ func (j ArchiveCatalogerConfig) WithMavenBaseURL(input string) ArchiveCatalogerC
}

func (j ArchiveCatalogerConfig) WithArchiveTraversal(search cataloging.ArchiveSearchConfig, maxDepth int) ArchiveCatalogerConfig {
if maxDepth > 0 {
j.MaxParentRecursiveDepth = maxDepth
}
j.MaxParentRecursiveDepth = maxDepth
j.ArchiveSearchConfig = search
return j
}
9 changes: 6 additions & 3 deletions syft/pkg/cataloger/java/maven_resolver.go
Original file line number Diff line number Diff line change
@@ -114,7 +114,10 @@ func (r *mavenResolver) resolveProperty(ctx context.Context, resolutionContext [

for _, pom := range resolutionContext {
current := pom
for current != nil {
for parentDepth := 0; current != nil; parentDepth++ {
if r.cfg.MaxParentRecursiveDepth > 0 && parentDepth > r.cfg.MaxParentRecursiveDepth {
return "", fmt.Errorf("maximum parent recursive depth (%v) reached resolving property: %v", r.cfg.MaxParentRecursiveDepth, propertyExpression)
}
if current.Properties != nil && current.Properties.Entries != nil {
if value, ok := current.Properties.Entries[propertyExpression]; ok {
return r.resolveExpression(ctx, resolutionContext, value, resolving) // property values can contain expressions
@@ -421,7 +424,7 @@ func (r *mavenResolver) findInheritedVersion(ctx context.Context, pom *gopom.Pro
if pom == nil {
return "", fmt.Errorf("nil pom provided to findInheritedVersion")
}
if len(resolutionContext) >= r.cfg.MaxParentRecursiveDepth {
if r.cfg.MaxParentRecursiveDepth > 0 && len(resolutionContext) > r.cfg.MaxParentRecursiveDepth {
return "", fmt.Errorf("maximum depth reached attempting to resolve version for: %s:%s at: %v", groupID, artifactID, r.resolveMavenID(ctx, pom))
}
if slices.Contains(resolutionContext, pom) {
@@ -509,7 +512,7 @@ func (r *mavenResolver) resolveLicenses(ctx context.Context, pom *gopom.Project,
if slices.Contains(processing, id) {
return nil, fmt.Errorf("cycle detected resolving licenses for: %v", id)
}
if len(processing) > r.cfg.MaxParentRecursiveDepth {
if r.cfg.MaxParentRecursiveDepth > 0 && len(processing) > r.cfg.MaxParentRecursiveDepth {
return nil, fmt.Errorf("maximum parent recursive depth (%v) reached: %v", r.cfg.MaxParentRecursiveDepth, processing)
}

26 changes: 23 additions & 3 deletions syft/pkg/cataloger/java/maven_resolver_test.go
Original file line number Diff line number Diff line change
@@ -171,30 +171,51 @@ func Test_mavenResolverLocal(t *testing.T) {
require.NoError(t, err)

tests := []struct {
name string
groupID string
artifactID string
version string
maxDepth int
expression string
expected string
wantErr require.ErrorAssertionFunc
}{
{
name: "artifact id with variable from 2nd parent",
groupID: "my.org",
artifactID: "child-one",
version: "1.3.6",
expression: "${project.one}",
expected: "1",
},
{
name: "depth limited large enough",
groupID: "my.org",
artifactID: "child-one",
version: "1.3.6",
expression: "${project.one}",
expected: "1",
maxDepth: 2,
},
{
name: "depth limited should not resolve",
groupID: "my.org",
artifactID: "child-one",
version: "1.3.6",
expression: "${project.one}",
expected: "",
maxDepth: 1,
},
}

for _, test := range tests {
t.Run(test.artifactID, func(t *testing.T) {
t.Run(test.name, func(t *testing.T) {
ctx := context.Background()
r := newMavenResolver(nil, ArchiveCatalogerConfig{
UseNetwork: false,
UseMavenLocalRepository: true,
MavenLocalRepositoryDir: dir,
MaxParentRecursiveDepth: 5,
MaxParentRecursiveDepth: test.maxDepth,
})
pom, err := r.findPom(ctx, test.groupID, test.artifactID, test.version)
if test.wantErr != nil {
@@ -235,7 +256,6 @@ func Test_mavenResolverRemote(t *testing.T) {
UseNetwork: true,
UseMavenLocalRepository: false,
MavenBaseURL: url,
MaxParentRecursiveDepth: 5,
})
pom, err := r.findPom(ctx, test.groupID, test.artifactID, test.version)
if test.wantErr != nil {
6 changes: 0 additions & 6 deletions syft/pkg/cataloger/java/parse_pom_xml_test.go
Original file line number Diff line number Diff line change
@@ -206,7 +206,6 @@ func Test_parseCommonsTextPomXMLProjectWithLocalRepository(t *testing.T) {
},
UseMavenLocalRepository: true,
MavenLocalRepositoryDir: "test-fixtures/pom/maven-repo",
MaxParentRecursiveDepth: 5,
})
pkgtest.TestCataloger(t, test.dir, cat, test.expected, nil)
})
@@ -258,7 +257,6 @@ func Test_parseCommonsTextPomXMLProjectWithNetwork(t *testing.T) {
UseNetwork: true,
MavenBaseURL: url,
UseMavenLocalRepository: false,
MaxParentRecursiveDepth: 5,
})
pkgtest.TestCataloger(t, test.dir, cat, test.expected, nil)
})
@@ -461,7 +459,6 @@ func Test_resolveLicenses(t *testing.T) {
UseNetwork: false,
MavenLocalRepositoryDir: "",
MavenBaseURL: "",
MaxParentRecursiveDepth: 10,
},
expected: nil,
},
@@ -471,7 +468,6 @@ func Test_resolveLicenses(t *testing.T) {
cfg: ArchiveCatalogerConfig{
UseMavenLocalRepository: false,
UseNetwork: false,
MaxParentRecursiveDepth: 10,
},
expected: expectedLicenses,
},
@@ -483,7 +479,6 @@ func Test_resolveLicenses(t *testing.T) {
MavenLocalRepositoryDir: localM2,
UseNetwork: false,
MavenBaseURL: "",
MaxParentRecursiveDepth: 10,
},
expected: expectedLicenses,
},
@@ -494,7 +489,6 @@ func Test_resolveLicenses(t *testing.T) {
UseMavenLocalRepository: false,
UseNetwork: true,
MavenBaseURL: mavenURL,
MaxParentRecursiveDepth: 10,
},
expected: expectedLicenses,
},