Feature improved java cataloging

cmd/syft/internal/options/catalog.go

@@ -64,6 +64,7 @@ func DefaultCatalog() Catalog {
 		Package:       defaultPackageConfig(),
 		LinuxKernel:   defaultLinuxKernelConfig(),
 		Golang:        defaultGolangConfig(),
+		Java:          defaultJavaConfig(),
 		File:          defaultFileConfig(),
 		Relationships: defaultRelationshipsConfig(),
 		Source:        defaultSourceConfig(),
@@ -150,6 +151,8 @@ func (cfg Catalog) ToPackagesConfig() pkgcataloging.Config {
 			GuessUnpinnedRequirements: cfg.Python.GuessUnpinnedRequirements,
 		},
 		JavaArchive: java.DefaultArchiveCatalogerConfig().
+			WithUseMavenLocalRepository(cfg.Java.UseMavenLocalRepository).
+			WithMavenLocalRepositoryDir(cfg.Java.MavenLocalRepositoryDir).
 			WithUseNetwork(cfg.Java.UseNetwork).
 			WithMavenBaseURL(cfg.Java.MavenURL).
 			WithArchiveTraversal(archiveSearch, cfg.Java.MaxParentRecursiveDepth),

cmd/syft/internal/options/java.go

@@ -1,24 +1,46 @@
 package options
 
-import "github.com/anchore/clio"
+import (
+	"github.com/anchore/clio"
+	"github.com/anchore/syft/syft/pkg/cataloger/java"
+)
 
 type javaConfig struct {
 	UseNetwork              bool   `yaml:"use-network" json:"use-network" mapstructure:"use-network"`
+	UseMavenLocalRepository bool   `yaml:"use-maven-local-repository" json:"use-maven-local-repository" mapstructure:"use-maven-local-repository"`
+	MavenLocalRepositoryDir string `yaml:"maven-local-repository-dir" json:"maven-local-repository-dir" mapstructure:"maven-local-repository-dir"`
 	MavenURL                string `yaml:"maven-url" json:"maven-url" mapstructure:"maven-url"`
 	MaxParentRecursiveDepth int    `yaml:"max-parent-recursive-depth" json:"max-parent-recursive-depth" mapstructure:"max-parent-recursive-depth"`
 }
 
+func defaultJavaConfig() javaConfig {
+	def := java.DefaultArchiveCatalogerConfig()
+
+	return javaConfig{
+		UseNetwork:              def.UseNetwork,
+		MaxParentRecursiveDepth: def.MaxParentRecursiveDepth,
+		UseMavenLocalRepository: def.UseMavenLocalRepository,
+		MavenLocalRepositoryDir: def.MavenLocalRepositoryDir,
+		MavenURL:                def.MavenBaseURL,
+	}
+}
+
 var _ interface {
 	clio.FieldDescriber
 } = (*javaConfig)(nil)
 
 func (o *javaConfig) DescribeFields(descriptions clio.FieldDescriptionSet) {
-	descriptions.Add(&o.UseNetwork, `enables Syft to use the network to fill in more detailed information about artifacts
-currently this enables searching maven-url for license data
-when running across pom.xml files that could have more information, syft will
-explicitly search maven for license information by querying the online pom when this is true
-this option is helpful for when the parent pom has more data,
-that is not accessible from within the final built artifact`)
+	descriptions.Add(&o.UseNetwork, `enables Syft to use the network to fetch version and license information for packages when
+a parent or imported pom file is not found in the local maven repository.
+the pom files are downloaded from the remote Maven repository at 'maven-url'`)
 	descriptions.Add(&o.MavenURL, `maven repository to use, defaults to Maven central`)
 	descriptions.Add(&o.MaxParentRecursiveDepth, `depth to recursively resolve parent POMs`)
+	descriptions.Add(&o.UseMavenLocalRepository, `use the local Maven repository to retrieve pom files. When Maven is installed and was previously used
+for building the software that is being scanned, then most pom files will be available in this
+repository on the local file system. this greatly speeds up scans. when all pom files are available
+in the local repository, then 'use-network' is not needed.
+TIP: If you want to download all required pom files to the local repository without running a full
+build, run 'mvn help:effective-pom' before performing the scan with syft.`)
+	descriptions.Add(&o.MavenLocalRepositoryDir, `override the default location of the local Maven repository. 
+the default is the subdirectory '.m2/repository' in your home directory`)
 }

go.mod

@@ -90,6 +90,7 @@ require (
 	github.com/BurntSushi/toml v1.4.0
 	github.com/adrg/xdg v0.5.0
 	github.com/magiconair/properties v1.8.7
+	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678
 )
 
 require (
@@ -230,7 +231,6 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/crypto v0.25.0 // indirect
-	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect
 	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/term v0.22.0 // indirect

syft/file/license.go

@@ -21,7 +21,7 @@ type LicenseEvidence struct {
 func NewLicense(value string) License {
 	spdxExpression, err := license.ParseExpression(value)
 	if err != nil {
-		log.Trace("unable to parse license expression: %s, %w", value, err)
+		log.Tracef("unable to parse license expression: '%s', error: '%v'", value, err)
 	}
 
 	return License{

syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go

@@ -310,6 +310,11 @@ func TestFileParser(t *testing.T, fixturePath string, parser generic.Parser, exp
 	NewCatalogTester().FromFile(t, fixturePath).Expects(expectedPkgs, expectedRelationships).TestParser(t, parser)
 }
 
+func TestCataloger(t *testing.T, fixtureDir string, cataloger pkg.Cataloger, expectedPkgs []pkg.Package, expectedRelationships []artifact.Relationship) {
+	t.Helper()
+	NewCatalogTester().FromDirectory(t, fixtureDir).Expects(expectedPkgs, expectedRelationships).TestCataloger(t, cataloger)
+}
+
 func TestFileParserWithEnv(t *testing.T, fixturePath string, parser generic.Parser, env *generic.Environment, expectedPkgs []pkg.Package, expectedRelationships []artifact.Relationship) {
 	t.Helper()