Improved detection for standalone jar files by using pom.properties file if available #724
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
use pom.properties if available fallback to old logic if pom properties is not available extract only META-INF from jar Signed-off-by: Nikemare <[email protected]>
Signed-off-by: Nikemare <[email protected]>
Signed-off-by: Nikemare <[email protected]>
Signed-off-by: Nikemare <[email protected]>
|
@prabhu Thank you. About repotests I'm a little bit lost in the moment, if you can guide me in the right direction I will add it. I found repotests.yml
But then, how do I validate the json? Or is the auto-validation via |
|
@Nikemare, it's a good question. Can we do something similar to our jenkins tests? Download some jars to a directory and run cdxgen? https://github.com/CycloneDX/cdxgen/blob/master/.github/workflows/repotests.yml#L215 We can just print the sbom with -p for now. In the future, we can add some snapshot based testing. |
Signed-off-by: Nikemare <[email protected]>
|
@prabhu I made a mistake in repotest, will commit fix in a second. |
Missed to specify directory in repotest for standalone jar files Signed-off-by: Nikemare <[email protected]>
|
Step standalone jar files in repotests takes 2 seconds with following output now: |
prabhu
reviewed
Nov 19, 2023
| @@ -228,7 +228,7 @@ jobs: | |||
| curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.16.0/jackson-core-2.16.0.jar | |||
| curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar | |||
| curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/wsdl4j/wsdl4j/1.6.3/wsdl4j-1.6.3.jar | |||
| FETCH_LICENSE=true bin/cdxgen.js -p -o bomresults/bom-standalone-jar-files.json --validate | |||
| FETCH_LICENSE=true bin/cdxgen.js -p standalone-jar-files -o bomresults/bom-standalone-jar-files.json --validate | |||
|
Works fine for me - but I'm analyzing only source code repos so far. |
prabhu
reviewed
Nov 20, 2023
| if (existsSync(mavenDir)) { | ||
| let groupDir = readdirSync(mavenDir); | ||
| if (groupDir && groupDir.length) { | ||
| let artifactDir = readdirSync(join(mavenDir, groupDir[0])); |
There was a problem hiding this comment.
@Nikemare, This line is failing while creating an SBOM for container images.
Error: ENOTDIR: not a directory, scandir '/tmp/jar-deps-pgCSWJ/META-INF/maven/extension.xml'
at readdirSync (node:fs:1516:26)
at extractJarArchive (file:///mnt/work/CycloneDX/cdxgen/utils.js:6650:31)
at createJarBom (file:///mnt/work/CycloneDX/cdxgen/index.js:1084:21)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async createMultiXBom (file:///mnt/work/CycloneDX/cdxgen/index.js:4868:15)
at async createBom (file:///mnt/work/CycloneDX/cdxgen/index.js:5388:21)
at async file:///mnt/work/CycloneDX/cdxgen/bin/cdxgen.js:366:20 {
errno: -20,
Below change at 6649 helps
if (
groupDir &&
groupDir.length &&
lstatSync(join(mavenDir, groupDir[0])).isDirectory()
) {
There was a problem hiding this comment.
@prabhu I can provide a fix in the evening (CET), or will you fix it on your own?
There was a problem hiding this comment.
The evening sounds good! Thank you so much!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Another improvement for standalone jar files
Steps to reproduce:
xmlschema-core and org.jacoco.report before my change:
and after my change with correct group, name and version, which results also in successfully fetched license information:
In both cases FETCH_LICENSE was set to true. Other components have unchanged results, as they were resolved correctly already before my change.