Skip to content

Commit

Permalink
[409] Removes non-deployed artifacts from SBOM
Browse files Browse the repository at this point in the history
This PR detects reactor artifacts that are neither deployed by
`maven-deploy-plugin` nor `nexus-staging-maven-plugin`. These artifacts
will:
 * not appear as dependencies in the aggregate BOM,
 * not generate BOMs.

Fixes #409.

Signed-off-by: Piotr P. Karwasz <piotr.github@karwasz.org>
  • Loading branch information
ppkarwasz committed Oct 26, 2023
1 parent 8cd64d9 commit 7bbf61d
Show file tree
Hide file tree
Showing 10 changed files with 298 additions and 10 deletions.
1 change: 1 addition & 0 deletions src/it/makeAggregateBom/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@
<modules>
<module>api</module>
<module>impls</module>
<module>skipped</module>
<module>util</module>
</modules>

Expand Down
43 changes: 43 additions & 0 deletions src/it/makeAggregateBom/skipped/deploy-config/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of CycloneDX Maven Plugin.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
SPDX-License-Identifier: Apache-2.0
Copyright (c) OWASP Foundation. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>org.cyclonedx.its</groupId>
<artifactId>skipped</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<artifactId>deploy-config</artifactId>

<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<version>3.1.1</version>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>
</project>
34 changes: 34 additions & 0 deletions src/it/makeAggregateBom/skipped/deploy-property/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of CycloneDX Maven Plugin.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
SPDX-License-Identifier: Apache-2.0
Copyright (c) OWASP Foundation. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>org.cyclonedx.its</groupId>
<artifactId>skipped</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<artifactId>deploy-property</artifactId>

<properties>
<maven.deploy.skip>true</maven.deploy.skip>
</properties>
</project>
48 changes: 48 additions & 0 deletions src/it/makeAggregateBom/skipped/nexus-config/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of CycloneDX Maven Plugin.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
SPDX-License-Identifier: Apache-2.0
Copyright (c) OWASP Foundation. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>org.cyclonedx.its</groupId>
<artifactId>skipped</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<artifactId>nexus-config</artifactId>

<properties>
<skipNexusStagingDeployMojo>true</skipNexusStagingDeployMojo>
</properties>

<build>
<plugins>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
<version>1.6.8</version>
<extensions>true</extensions>
<configuration>
<skipNexusStagingDeployMojo>true</skipNexusStagingDeployMojo>
</configuration>
</plugin>
</plugins>
</build>
</project>
45 changes: 45 additions & 0 deletions src/it/makeAggregateBom/skipped/nexus-property/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of CycloneDX Maven Plugin.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
SPDX-License-Identifier: Apache-2.0
Copyright (c) OWASP Foundation. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>org.cyclonedx.its</groupId>
<artifactId>skipped</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<artifactId>nexus-property</artifactId>

<properties>
<skipNexusStagingDeployMojo>true</skipNexusStagingDeployMojo>
</properties>

<build>
<plugins>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
<version>1.6.8</version>
<extensions>true</extensions>
</plugin>
</plugins>
</build>
</project>
38 changes: 38 additions & 0 deletions src/it/makeAggregateBom/skipped/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of CycloneDX Maven Plugin.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
SPDX-License-Identifier: Apache-2.0
Copyright (c) OWASP Foundation. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>org.cyclonedx.its</groupId>
<artifactId>makeAggregateBom</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<artifactId>skipped</artifactId>
<packaging>pom</packaging>

<modules>
<module>deploy-property</module>
<module>deploy-config</module>
<module>nexus-property</module>
<module>nexus-config</module>
</modules>
</project>
29 changes: 22 additions & 7 deletions src/it/makeAggregateBom/verify.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,39 @@ void assertBomFiles(String path, boolean aggregate) {
assert bomFileJson.text.contains('"value" : "compile,provided,runtime,system"')
}

void assertNoBomFiles(String path) {
File bomFileXml = new File(basedir, path + ".xml")
File bomFileJson = new File(basedir, path + ".json")

assert !bomFileXml.exists()
assert !bomFileJson.exists()
}

assertBomFiles("target/bom", true) // aggregate
assertBomFiles("api/target/bom", false)
assertBomFiles("util/target/bom", false)
assertBomFiles("impls/target/bom", false)
assertBomFiles("impls/impl-A/target/bom", false)
assertBomFiles("impls/impl-B/target/bom", false)
assertBomFiles("skipped/target/bom", false)

assertNoBomFiles("skipped/deploy-config/target/bom")
assertNoBomFiles("skipped/deploy-property/target/bom")
assertNoBomFiles("skipped/nexus-config/target/bom")
assertNoBomFiles("skipped/nexus-property/target/bom")

var buildLog = new File(basedir, "build.log").text

assert 11 == (buildLog =~ /\[INFO\] CycloneDX: Resolving Dependencies/).size()
assert 13 == (buildLog =~ /\[INFO\] CycloneDX: Resolving Dependencies/).size()
assert 2 == (buildLog =~ /\[INFO\] CycloneDX: Resolving Aggregated Dependencies/).size()

// 13 = 6 modules for main cyclonedx-makeAggregateBom execution
// 15 = 7 modules for main cyclonedx-makeAggregateBom execution
// + 1 for root module cyclonedx-makeAggregateBom-root-only execution
// + 6 modules for additional cyclonedx-makeBom execution
assert 13 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(XML\)/).size()
assert 13 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(JSON\)/).size()
// + 7 modules for additional cyclonedx-makeBom execution
assert 15 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(XML\)/).size()
assert 15 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(JSON\)/).size()
// cyclonedx-makeAggregateBom-root-only execution skips 5 non-root modules
assert 5 == (buildLog =~ /\[INFO\] Skipping CycloneDX on non-execution root/).size()
assert 6 == (buildLog =~ /\[INFO\] Skipping CycloneDX on non-execution root/).size()

// [WARNING] artifact org.cyclonedx.its:api:xml:cyclonedx:1.0-SNAPSHOT already attached, replace previous instance
assert 0 == (buildLog =~ /-SNAPSHOT already attached, replace previous instance/).size()
Expand Down Expand Up @@ -65,4 +79,5 @@ String rootDependencies = bom.substring(bom.indexOf('<dependency ref="pkg:maven/
assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/api@1.0-SNAPSHOT?type=jar"/>')
assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/impls@1.0-SNAPSHOT?type=pom"/>')
assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/util@1.0-SNAPSHOT?type=jar"/>')
assert 4 == (rootDependencies =~ /<dependency ref="pkg:maven/).size()
assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/skipped@1.0-SNAPSHOT?type=pom"/>')
assert 5 == (rootDependencies =~ /<dependency ref="pkg:maven/).size()
59 changes: 57 additions & 2 deletions src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,15 @@
import org.apache.commons.io.FileUtils;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.execution.MavenSession;
import org.apache.maven.model.Plugin;
import org.apache.maven.model.PluginExecution;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.MavenProject;
import org.apache.maven.project.MavenProjectHelper;
import org.apache.maven.shared.dependency.analyzer.ProjectDependencyAnalysis;
import org.codehaus.plexus.util.xml.Xpp3Dom;
import org.cyclonedx.BomGeneratorFactory;
import org.cyclonedx.CycloneDxSchema;
import org.cyclonedx.exception.GeneratorException;
Expand Down Expand Up @@ -234,6 +237,12 @@ public abstract class BaseCycloneDxMojo extends AbstractMojo {
protected static final String MESSAGE_ATTACHING_BOM = " attaching as %s-%s-cyclonedx.%s";
protected static final String MESSAGE_VALIDATION_FAILURE = "The BOM does not conform to the CycloneDX BOM standard as defined by the XSD";

/**
* Maven plugins that deploy artifacts.
*/
private static final String MAVEN_DEPLOY_PLUGIN = "org.apache.maven.plugins:maven-deploy-plugin";
private static final String NEXUS_STAGING_PLUGIN = "org.sonatype.plugins:nexus-staging-maven-plugin";

/**
* Returns a reference to the current project.
*
Expand Down Expand Up @@ -262,9 +271,15 @@ protected Component convert(Artifact artifact) {
*/
protected abstract String extractComponentsAndDependencies(Set<String> topLevelComponents, Map<String, Component> components, Map<String, Dependency> dependencies) throws MojoExecutionException;

/**
* @return {@literal true} if the execution should be skipped.
*/
protected boolean shouldSkip() {
return Boolean.parseBoolean(System.getProperty("cyclonedx.skip", Boolean.toString(skip)));
}

public void execute() throws MojoExecutionException {
final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("cyclonedx.skip", Boolean.toString(skip)));
if (shouldSkip) {
if (shouldSkip()) {
getLog().info("Skipping CycloneDX");
return;
}
Expand Down Expand Up @@ -511,4 +526,44 @@ private Component.Scope mergeScopes(final Component.Scope existing, final Compon
}
return existing;
}

static boolean isDeployable(final MavenProject project) {
return isDeployable(project,
MAVEN_DEPLOY_PLUGIN,
"skip",
"maven.deploy.skip")
|| isDeployable(project,
NEXUS_STAGING_PLUGIN,
"skipNexusStagingDeployMojo",
"skipNexusStagingDeployMojo");
}

private static boolean isDeployable(final MavenProject project,
final String pluginKey,
final String parameter,
final String propertyName) {
final Plugin plugin = project.getPlugin(pluginKey);
if (plugin != null) {
// Default skip value
final String property = System.getProperty(propertyName, project.getProperties().getProperty(propertyName));
final boolean defaultSkipValue = property != null ? Boolean.parseBoolean(property) : false;
// Find an execution that is not skipped
for (final PluginExecution execution : plugin.getExecutions()) {
if (execution.getGoals().contains("deploy")) {
final Xpp3Dom executionConf = (Xpp3Dom) execution.getConfiguration();
boolean skipValue = defaultSkipValue;
if (executionConf != null) {
Xpp3Dom target = executionConf.getChild(parameter);
if (target != null) {
skipValue = Boolean.parseBoolean(target.getValue());
}
}
if (!skipValue) {
return true;
}
}
}
}
return false;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,9 @@ protected boolean shouldExclude(MavenProject mavenProject) {
if (excludeTestProject && mavenProject.getArtifactId().contains("test")) {
shouldExclude = true;
}
if (!BaseCycloneDxMojo.isDeployable(mavenProject)) {
shouldExclude = true;
}
return shouldExclude;
}

Expand Down Expand Up @@ -146,7 +149,7 @@ protected String extractComponentsAndDependencies(final Set<String> topLevelComp
*/
private void addMavenProjectsAsParentDependencies(List<MavenProject> reactorProjects, Map<String, Dependency> dependencies) {
for (final MavenProject project: reactorProjects) {
if (project.hasParent()) {
if (project.hasParent() && !shouldExclude(project)) {
final String parentRef = generatePackageUrl(project.getParent().getArtifact());
Dependency parentDependency = dependencies.get(parentRef);
if (parentDependency != null) {
Expand Down
6 changes: 6 additions & 0 deletions src/main/java/org/cyclonedx/maven/CycloneDxMojo.java
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,12 @@ protected ProjectDependencyAnalysis doProjectDependencyAnalysis(final MavenProje
return null;
}

@Override
protected boolean shouldSkip() {
// The list of artifacts would be empty
return super.shouldSkip() || !isDeployable(getProject());
}

protected String extractComponentsAndDependencies(final Set<String> topLevelComponents, final Map<String, Component> components, final Map<String, Dependency> dependencies) throws MojoExecutionException {
getLog().info(MESSAGE_RESOLVING_DEPS);

Expand Down

0 comments on commit 7bbf61d

Please sign in to comment.