chore: add inspection utility of build script

project-ncl · Feb 14, 2025 · c8365b8 · c8365b8
1 parent 36436ea
commit c8365b8
Show file tree

Hide file tree

Showing 7 changed files with 413 additions and 7 deletions.
diff --git a/core/src/main/java/org/jboss/sbomer/core/features/sbom/enums/GeneratorType.java b/core/src/main/java/org/jboss/sbomer/core/features/sbom/enums/GeneratorType.java
@@ -28,8 +28,9 @@ public enum GeneratorType {
     @JsonProperty("maven-cyclonedx")
     MAVEN_CYCLONEDX, @JsonProperty("maven-domino")
     MAVEN_DOMINO, @JsonProperty("gradle-cyclonedx")
-    GRADLE_CYCLONEDX, @JsonProperty("nodejs-cyclonedx")
-    NODEJS_CYCLONEDX, @JsonProperty("cyclonedx-operation")
+    GRADLE_CYCLONEDX, @JsonProperty("npm-cyclonedx")
+    NPM_CYCLONEDX, @JsonProperty("yarn-cyclonedx")
+    YARN_CYCLONEDX, @JsonProperty("cyclonedx-operation")
     CYCLONEDX_OPERATION, @JsonProperty("image-syft")
     IMAGE_SYFT
 }
diff --git a/core/src/main/java/org/jboss/sbomer/core/features/sbom/utils/FileUtils.java b/core/src/main/java/org/jboss/sbomer/core/features/sbom/utils/FileUtils.java
@@ -18,15 +18,12 @@
 package org.jboss.sbomer.core.features.sbom.utils;
 
 import java.io.IOException;
-import java.nio.file.FileSystems;
 import java.nio.file.FileVisitResult;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.nio.file.PathMatcher;
 import java.nio.file.SimpleFileVisitor;
 import java.nio.file.attribute.BasicFileAttributes;
 import java.util.List;
-import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import lombok.extern.slf4j.Slf4j;

diff --git a/.../java/org/jboss/sbomer/core/features/sbom/utils/commandline/CommandLineInspectorUtil.java b/.../java/org/jboss/sbomer/core/features/sbom/utils/commandline/CommandLineInspectorUtil.java
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2023 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jboss.sbomer.core.features.sbom.utils.commandline;
+
+import java.util.regex.Pattern;
+
+public class CommandLineInspectorUtil {
+
+    /*
+     * Parses the build script to find the main build commands to understand the nature of the project. It's a best
+     * attempt because we don't have the source code here (would be best to search for e.g. build.gradle | pom.xml |
+     * package.json + yarn.lock | package.json + package-lock, build.sbt files)
+     */
+    private CommandLineInspectorUtil() {
+    }
+
+    private static final String MVN_BUILD_REGEXP = "\\s*.*(\\.?\\/)?mvn(w)?\\s+(\\s*.*)*(deploy)\\b\\s*.*";
+    private static final String GRADLE_BUILD_REGEXP = "\\s*.*(\\.?\\/)?gradle(w)?\\s+(\\s*.*)*(build|assemble|publish)\\b\\s*.*";
+    private static final String NPM_BUILD_REGEXP = "(\\s*.*npm\\s+(install|run|exec|build)\\s*.*)";
+    private static final String YARN_BUILD_REGEXP = "(\\s*.*yarn\\s+(install|run|exec|build)\\s*.*)";
+
+    private static final Pattern MVN_PATTERN = Pattern.compile(MVN_BUILD_REGEXP);
+    private static final Pattern GRADLE_PATTERN = Pattern.compile(GRADLE_BUILD_REGEXP);
+    private static final Pattern NPM_PATTERN = Pattern.compile(NPM_BUILD_REGEXP);
+    private static final Pattern YARN_PATTERN = Pattern.compile(YARN_BUILD_REGEXP);
+
+    public static boolean hasMavenEvidence(String buildScript) {
+        return MVN_PATTERN.matcher(buildScript.replace("\n", "")).matches();
+    }
+
+    public static boolean hasGradleEvidence(String buildScript) {
+        return GRADLE_PATTERN.matcher(buildScript.replace("\n", "")).matches();
+    }
+
+    public static boolean hasNpmEvidence(String buildScript) {
+        return NPM_PATTERN.matcher(buildScript.replace("\n", "")).matches();
+    }
+
+    public static boolean hasYarnEvidence(String buildScript) {
+        return YARN_PATTERN.matcher(buildScript.replace("\n", "")).matches();
+    }
+
+}
diff --git a/...ain/java/org/jboss/sbomer/core/features/sbom/utils/commandline/CommandLineParserUtil.java b/...ain/java/org/jboss/sbomer/core/features/sbom/utils/commandline/CommandLineParserUtil.java
@@ -61,6 +61,11 @@ public static String getLaunderedCommandScript(Build build) {
             if (versionOverride.isPresent()) {
                 buildCmdOptions += " -Pversion=" + versionOverride.get();
             }
+        } else if (org.jboss.pnc.enums.BuildType.NPM.equals(build.getBuildConfigRevision().getBuildType())) {
+            Optional<String> versionOverride = getVersionFromBuildAttributes(build);
+            if (versionOverride.isPresent()) {
+                buildCmdOptions += "npm version " + versionOverride.get();
+            }
         }
         return buildCmdOptions;
     }

diff --git a/core/src/main/resources/META-INF/sbomer-config.yaml b/core/src/main/resources/META-INF/sbomer-config.yaml
@@ -28,7 +28,7 @@ sbomer:
         default-version: "2.9.0"
         default-args: "--batch-mode -DschemaVersion=1.6"
       gradle-cyclonedx:
-        default-version: "1.9.0"
+        default-version: "1.10.0"
         default-args: "-info"
       npm-cyclonedx:
         default-version: "2.0.0"