From e4bfb52bdb216c6d9960dfb721be9a53213db7b3 Mon Sep 17 00:00:00 2001 From: Nick Cross Date: Fri, 25 Oct 2024 16:04:27 +0100 Subject: [PATCH] JBS-38 Remove sbom/cyclonedx --- .../build-request-processor/pom.xml | 5 +- .../analyser/dependencies/AnalyserBase.java | 37 ----- .../analyser/dependencies/SBomGenerator.java | 150 ------------------ .../analyser/sbom/SBomMergeTestCase.java | 54 ------- java-components/pom.xml | 6 - 5 files changed, 1 insertion(+), 251 deletions(-) delete mode 100644 java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/analyser/dependencies/SBomGenerator.java delete mode 100644 java-components/build-request-processor/src/test/java/com/redhat/hacbs/container/analyser/sbom/SBomMergeTestCase.java diff --git a/java-components/build-request-processor/pom.xml b/java-components/build-request-processor/pom.xml index 735345708..9d4764f02 100644 --- a/java-components/build-request-processor/pom.xml +++ b/java-components/build-request-processor/pom.xml @@ -59,10 +59,6 @@ com.google.cloud.tools jib-core - - org.cyclonedx - cyclonedx-core-java - org.ow2.asm asm-tree @@ -71,6 +67,7 @@ org.gradle gradle-tooling-api + test org.apache.maven.indexer diff --git a/java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/analyser/dependencies/AnalyserBase.java b/java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/analyser/dependencies/AnalyserBase.java index 173acf81d..2bc7e8dc0 100644 --- a/java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/analyser/dependencies/AnalyserBase.java +++ b/java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/analyser/dependencies/AnalyserBase.java @@ -2,7 +2,6 @@ import java.io.IOException; import java.io.InputStream; -import java.nio.charset.StandardCharsets; import java.nio.file.FileVisitResult; import java.nio.file.Files; import java.nio.file.Path; @@ -11,18 +10,11 @@ import java.util.Map; import java.util.Set; -import jakarta.enterprise.inject.Instance; import jakarta.inject.Inject; -import org.cyclonedx.CycloneDxSchema; -import org.cyclonedx.generators.BomGeneratorFactory; -import org.cyclonedx.generators.json.BomJsonGenerator; -import org.cyclonedx.model.Bom; - import com.fasterxml.jackson.databind.ObjectMapper; import com.redhat.hacbs.classfile.tracker.ClassFileTracker; import com.redhat.hacbs.classfile.tracker.TrackingData; -import com.redhat.hacbs.container.results.ResultsUpdater; import io.quarkus.logging.Log; import picocli.CommandLine; @@ -40,9 +32,6 @@ public abstract class AnalyserBase implements Runnable { @Inject RebuildService rebuild; - @CommandLine.Option(names = "-s") - Path sbom; - @CommandLine.Option(names = "-c") Path dependenciesCount; @@ -52,9 +41,6 @@ public abstract class AnalyserBase implements Runnable { @CommandLine.Option(names = "--publishers") Path publishers; - @Inject - Instance resultsUpdater; - protected String imageDigest = ""; @Override @@ -65,7 +51,6 @@ public void run() { doAnalysis(gavs, trackingData); rebuild.rebuild(taskRunName, gavs); writeResults(gavs, trackingData); - writeSbom(trackingData); } catch (Exception e) { throw new RuntimeException(e); } @@ -73,28 +58,6 @@ public void run() { abstract void doAnalysis(Set gavs, Set trackingData) throws Exception; - void writeSbom(Set trackingData) throws IOException { - Bom bom; - InputStream existing = null; - try { - if (Files.exists(sbom)) { - existing = Files.newInputStream(sbom); - } - bom = SBomGenerator.generateSBom(trackingData, existing); - } finally { - if (existing != null) { - existing.close(); - } - } - - BomJsonGenerator generator = BomGeneratorFactory.createJson(CycloneDxSchema.VERSION_LATEST, bom); - String sbom = generator.toJsonString(); - Log.infof("Generated SBOM:\n%s", sbom); - if (this.sbom != null) { - Files.writeString(this.sbom, sbom, StandardCharsets.UTF_8); - } - } - void writeResults(Set gavs, Set trackingData) throws IOException { if (dependenciesCount != null) { Files.writeString(dependenciesCount, trackingData.size() + ""); diff --git a/java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/analyser/dependencies/SBomGenerator.java b/java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/analyser/dependencies/SBomGenerator.java deleted file mode 100644 index 4404ad6d2..000000000 --- a/java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/analyser/dependencies/SBomGenerator.java +++ /dev/null @@ -1,150 +0,0 @@ -package com.redhat.hacbs.container.analyser.dependencies; - -import java.io.InputStream; -import java.nio.charset.StandardCharsets; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.Set; - -import org.apache.commons.lang3.StringUtils; -import org.cyclonedx.exception.ParseException; -import org.cyclonedx.model.Bom; -import org.cyclonedx.model.Component; -import org.cyclonedx.model.Property; -import org.cyclonedx.parsers.BomParserFactory; - -import com.redhat.hacbs.classfile.tracker.TrackingData; - -public class SBomGenerator { - - public static Bom generateSBom(Set trackingData, InputStream existing) { - //now build a cyclone DX bom file - final Bom bom; - Map existingIds = new HashMap<>(); - - //we may need to merge this into an existing bom - if (existing != null) { - try { - bom = BomParserFactory.createParser("{".getBytes(StandardCharsets.UTF_8)).parse(existing); - } catch (ParseException e) { - throw new RuntimeException(e); - } - - //now lets clean up some of the syft duplication - //syft can sometime generate double ups of artifacts - //basically the same thing, but one with name 'com.foo.bar' and no group-id, and one with name 'bar' - //and group 'com.foo' - //we just want the later form, if they are both there we remove the problematic one - for (var it = bom.getComponents().iterator(); it.hasNext();) { - var i = it.next(); - Identifier identifier = new Identifier(i.getName(), i.getGroup(), i.getVersion()); - if (existingIds.containsKey(identifier)) { - it.remove(); - } else { - existingIds.put(identifier, i); - } - } - for (var it = bom.getComponents().iterator(); it.hasNext();) { - var i = it.next(); - if (i.getPurl() != null && i.getPurl().startsWith("pkg:maven")) { - if (i.getGroup() == null && i.getName().contains(".")) { - int lastDot = i.getName().lastIndexOf('.'); - String name = i.getName().substring(lastDot + 1); - String group = i.getName().substring(0, lastDot); - Identifier key = new Identifier(name, group, i.getVersion()); - if (existingIds.containsKey(key)) { - //this is a duplicate, remove it - it.remove(); - existingIds.remove(new Identifier(i.getName(), i.getGroup(), i.getVersion())); - } - } - } - } - - } else { - bom = new Bom(); - bom.setComponents(new ArrayList<>()); - } - - for (var i : trackingData) { - var split = i.gav.split(":"); - String group = split[0]; - String name = split[1]; - String version = split[2]; - - Component component = existingIds.get(new Identifier(name, group, version)); - List properties = new ArrayList<>(); - Map attributes = i.getAttributes(); - if (component == null) { - component = new Component(); - bom.getComponents().add(component); - component.setType(Component.Type.LIBRARY); - component.setGroup(group); - component.setName(name); - component.setVersion(version); - String purl = String.format("pkg:maven/%s/%s@%s", group, name, version); - String classifier = attributes.get("classifier"); - if (StringUtils.isNotBlank(classifier)) { - purl += String.format("?classifier=%s", classifier); - } - component.setPurl(purl); - } else if (component.getProperties() != null) { - properties.addAll(component.getProperties()); - } - component.setPublisher(i.source); - for (var e : i.getAttributes().entrySet()) { - if (!e.getKey().equals("classifier")) { - Property property = new Property(); - property.setName("java:" + e.getKey()); - property.setValue(e.getValue()); - properties.add(property); - } - } - - Property packageTypeProperty = new Property(); - packageTypeProperty.setName("package:type"); - packageTypeProperty.setValue("maven"); - properties.add(packageTypeProperty); - - Property packageLanguageProperty = new Property(); - packageLanguageProperty.setName("package:language"); - packageLanguageProperty.setValue("java"); - properties.add(packageLanguageProperty); - component.setProperties(properties); - - } - return bom; - } - - static class Identifier { - final String name; - final String groupId; - - final String version; - - Identifier(String name, String groupId, String version) { - this.name = name; - this.groupId = groupId; - this.version = version; - } - - @Override - public boolean equals(Object o) { - if (this == o) - return true; - if (o == null || getClass() != o.getClass()) - return false; - Identifier that = (Identifier) o; - return Objects.equals(name, that.name) && Objects.equals(groupId, that.groupId) - && Objects.equals(version, that.version); - } - - @Override - public int hashCode() { - return Objects.hash(name, groupId, version); - } - } -} diff --git a/java-components/build-request-processor/src/test/java/com/redhat/hacbs/container/analyser/sbom/SBomMergeTestCase.java b/java-components/build-request-processor/src/test/java/com/redhat/hacbs/container/analyser/sbom/SBomMergeTestCase.java deleted file mode 100644 index 76d41f617..000000000 --- a/java-components/build-request-processor/src/test/java/com/redhat/hacbs/container/analyser/sbom/SBomMergeTestCase.java +++ /dev/null @@ -1,54 +0,0 @@ -package com.redhat.hacbs.container.analyser.sbom; - -import java.util.Map; -import java.util.Set; - -import org.cyclonedx.model.Component; -import org.junit.jupiter.api.Assertions; -import org.junit.jupiter.api.Test; - -import com.redhat.hacbs.classfile.tracker.TrackingData; -import com.redhat.hacbs.container.analyser.dependencies.SBomGenerator; - -public class SBomMergeTestCase { - - @Test - public void testRemoveDuplicate() { - var sbom = SBomGenerator.generateSBom(Set.of(), getClass().getClassLoader().getResourceAsStream("syft-sbom.json")); - for (var c : sbom.getComponents()) { - //make sure the duplicate was removed - Assertions.assertNotEquals("commons-digester.commons-digester", c.getName()); - System.out.println(c.getName()); - } - //make sure that the duplicate is removed from the file - Assertions.assertEquals(4, sbom.getComponents().size()); - } - - @Test - public void testSbomMerge() { - var sbom = SBomGenerator.generateSBom( - Set.of( - new TrackingData("commons-digester:commons-digester:2.1", "rebuilt", Map.of()), - new TrackingData("com.test:test:1.0", "central", Map.of("classifier", "foo"))), - getClass().getClassLoader().getResourceAsStream("syft-sbom.json")); - Component test = null; - Component digester = null; - for (var c : sbom.getComponents()) { - if (c.getName().equals("commons-digester")) { - digester = c; - } else if (c.getName().equals("test")) { - test = c; - } - //make sure the duplicate was removed - Assertions.assertNotEquals("commons-digester.commons-digester", c.getName()); - System.out.println(c.getName()); - } - Assertions.assertEquals(5, sbom.getComponents().size()); - Assertions.assertNotNull(digester); - Assertions.assertNotNull(test); - Assertions.assertEquals("rebuilt", digester.getPublisher()); - Assertions.assertNotNull(digester.getBomRef()); - Assertions.assertEquals("central", test.getPublisher()); - Assertions.assertEquals("pkg:maven/com.test/test@1.0?classifier=foo", test.getPurl()); - } -} diff --git a/java-components/pom.xml b/java-components/pom.xml index 7d34bdd5a..be9e9a8f9 100644 --- a/java-components/pom.xml +++ b/java-components/pom.xml @@ -57,7 +57,6 @@ 9.7.1 3.26.3 - 9.0.4 8.10.2 7.1.5 1.9.22 @@ -185,11 +184,6 @@ 0.0.4 - - org.cyclonedx - cyclonedx-core-java - ${cyclonedx-core-java.version} - org.apache.maven.release maven-release-manager