fix: missing common transitive dependencies

Signed-off-by: Ruben Romero Montes <[email protected]>
RHEcosystemAppEng · Sep 1, 2023 · 374d0f8 · 374d0f8
1 parent 673de41
commit 374d0f8
Show file tree

Hide file tree

Showing 5 changed files with 258 additions and 24 deletions.
diff --git a/src/providers/java_maven.js b/src/providers/java_maven.js
@@ -72,36 +72,62 @@ function dotGraphToPurl(root) {
 	let name = parts[1]
 	let version = parts[3].replaceAll("\"","")
 	return new PackageURL('maven',group,name,version,undefined,undefined);
-
-
 }
 
 /**
  *
- * @param {String} dotGraphList Dot Graph tree String of the pom.xml manifest
+ * @param {String} dotGraphList Text graph String of the pom.xml manifest
  * @param {[String]} ignoredDeps List of ignored dependencies to be omitted from sbom
  * @return {String} formatted sbom Json String with all dependencies
  * @private
  */
-function createSbomFileFromDotGraphFormat(dotGraphList, ignoredDeps) {
+function createSbomFileFromTextFormat(dotGraphList, ignoredDeps) {
+	let lines = dotGraphList.split(EOL);
 	// get root component
-	let lines = dotGraphList.replaceAll(";","").split(EOL);
-	let root = lines[0].split("\"")[1];
+	let root = lines[0];
 	let rootPurl = dotGraphToPurl(root);
-	lines.splice(0,1);
-	let sbom = new Sbom()
-	sbom.addRoot(rootPurl)
-	lines.forEach(pair => {
-		if(pair.trim() !== "}") {
-			let thePair = pair.split("->")
-			if(thePair.length === 2) {
-				let from = dotGraphToPurl(thePair[0].trim())
-				let to = dotGraphToPurl(thePair[1].trim())
-				sbom.addDependency(sbom.purlToComponent(from), to)
-			}
-		}
-	})
-	return sbom.filterIgnoredDepsIncludingVersion(ignoredDeps).getAsJsonString()
+	let sbom = new Sbom();
+	sbom.addRoot(rootPurl);
+	calculateTree(root, 0, lines.slice(1), sbom);
+	console.log(sbom.getAsJsonString());
+	return sbom.filterIgnoredDepsIncludingVersion(ignoredDeps).getAsJsonString();
+}
+
+const DEP_REGEX = /([\-a-zA-Z0-9\.]+:[\-a-zA-Z0-9\.]+:[\-a-zA-Z0-9\.]+:[\-a-zA-Z0-9\.]+:[\-a-zA-Z0-9\.]+)/g;
+
+function calculateTree(src, srcDepth, lines, sbom) {
+    if(lines.length === 0) {
+        return
+    }
+    let index = 0;
+    let target = lines[index];
+    let targetDepth = getDepth(target);
+    while(targetDepth > srcDepth && index < lines.length) {
+        if(targetDepth == srcDepth + 1) {
+            let from = dotGraphToPurl(parseDep(src))
+			let to = dotGraphToPurl(parseDep(target))
+            sbom.addDependency(sbom.purlToComponent(from), to)
+        } else {
+            calculateTree(lines[index-1], getDepth(lines[index-1]), lines.slice(index), sbom)
+        }
+        target = lines[++index];
+        targetDepth = getDepth(target);
+    }
+}
+
+function getDepth(line) {
+    if(line === undefined) {
+        return -1;
+    }
+    return ((line.indexOf('-') - 1) / 3) + 1;
+}
+
+function parseDep(line) {
+	let match = line.match(DEP_REGEX);
+	if(match) {
+		return match[0];
+	}
+	return line;
 }
 
 /**
@@ -129,8 +155,8 @@ function createSbomStackAnalysis(manifest, opts = {}) {
 	// create dependency graph in a temp file
 	let tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'exhort_'))
 	let tmpDepTree = path.join(tmpDir, 'mvn_deptree.txt')
-	// build initial command
-	let depTreeCmd = `${mvn} -q dependency:tree -DoutputType=dot -DoutputFile=${tmpDepTree} -f ${manifest}`
+	// build initial command (dot outputType is not available for verbose mode)
+	let depTreeCmd = `${mvn} -q dependency:tree -Dverbose -DoutputType=text -DoutputFile=${tmpDepTree} -f ${manifest}`
 	// exclude ignored dependencies, exclude format is groupId:artifactId:scope:version.
 	// version and scope are marked as '*' if not specified (we do not use scope yet)
 	let ignoredDeps = new Array()
@@ -148,7 +174,7 @@ function createSbomStackAnalysis(manifest, opts = {}) {
 	})
 	// read dependency tree from temp file
 	let content= fs.readFileSync(`${tmpDepTree}`)
-	let sbom = createSbomFileFromDotGraphFormat(content.toString(),ignoredDeps);
+	let sbom = createSbomFileFromTextFormat(content.toString(),ignoredDeps);
 	// delete temp file and directory
 	fs.rmSync(tmpDir, {recursive: true, force: true})
 	// return dependency graph as string

diff --git a/test/providers/java_maven.test.js b/test/providers/java_maven.test.js
@@ -25,7 +25,8 @@ suite('testing the java-maven data provider', () => {
 		"pom_deps_with_ignore_on_wrong",
 		"pom_deps_with_no_ignore",
 		"poms_deps_with_ignore_long",
-		"poms_deps_with_no_ignore_long"
+		"poms_deps_with_no_ignore_long",
+		"poms_deps_with_no_ignore_common_paths"
 	].forEach(testCase => {
 		let scenario = testCase.replace('pom_deps_', '').replaceAll('_', ' ')
 		// test(`custom adhoc test`, async () => {

diff --git a/...anifests/maven/pom_deps_with_no_ignore_common_paths/component_analysis_expected_sbom.json b/...anifests/maven/pom_deps_with_no_ignore_common_paths/component_analysis_expected_sbom.json
@@ -0,0 +1,59 @@
+{
+	"bomFormat": "CycloneDX",
+	"specVersion": "1.4",
+	"version": 1,
+	"metadata": {
+		"timestamp": "2023-09-01T15:54:21.462Z",
+		"component": {
+			"group": "pom-with-deps-no-ignore",
+			"name": "pom-with-dependency-not-ignored-for-tests",
+			"version": "0.0.1",
+			"purl": "pkg:maven/pom-with-deps-no-ignore/[email protected]",
+			"type": "application",
+			"bom-ref": "pkg:maven/pom-with-deps-no-ignore/[email protected]"
+		}
+	},
+	"components": [
+		{
+			"group": "pom-with-deps-no-ignore",
+			"name": "pom-with-dependency-not-ignored-for-tests",
+			"version": "0.0.1",
+			"purl": "pkg:maven/pom-with-deps-no-ignore/[email protected]",
+			"type": "application",
+			"bom-ref": "pkg:maven/pom-with-deps-no-ignore/[email protected]"
+		},
+		{
+			"group": "com.fasterxml.jackson.core",
+			"name": "jackson-databind",
+			"version": "2.14.1",
+			"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+			"type": "library",
+			"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
+		},
+		{
+			"group": "org.infinispan.protostream",
+			"name": "protostream",
+			"version": "4.6.4.Final",
+			"purl": "pkg:maven/org.infinispan.protostream/[email protected]",
+			"type": "library",
+			"bom-ref": "pkg:maven/org.infinispan.protostream/[email protected]"
+		}
+	],
+	"dependencies": [
+		{
+			"ref": "pkg:maven/pom-with-deps-no-ignore/[email protected]",
+			"dependsOn": [
+				"pkg:maven/com.fasterxml.jackson.core/[email protected]",
+				"pkg:maven/org.infinispan.protostream/[email protected]"
+			]
+		},
+		{
+			"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+			"dependsOn": []
+		},
+		{
+			"ref": "pkg:maven/org.infinispan.protostream/[email protected]",
+			"dependsOn": []
+		}
+	]
+}
diff --git a/test/providers/tst_manifests/maven/pom_deps_with_no_ignore_common_paths/pom.xml b/test/providers/tst_manifests/maven/pom_deps_with_no_ignore_common_paths/pom.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>pom-with-deps-no-ignore</groupId>
+  <artifactId>pom-with-dependency-not-ignored-for-tests</artifactId>
+  <version>0.0.1</version>
+  <dependencies>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+      <version>2.14.1</version>
+    </dependency>
+    <dependency>
+      <groupId>org.infinispan.protostream</groupId>
+      <artifactId>protostream</artifactId>
+      <version>4.6.4.Final</version>
+    </dependency>
+  </dependencies>
+</project>
diff --git a/...st_manifests/maven/pom_deps_with_no_ignore_common_paths/stack_analysis_expected_sbom.json b/...st_manifests/maven/pom_deps_with_no_ignore_common_paths/stack_analysis_expected_sbom.json
@@ -0,0 +1,127 @@
+{
+	"bomFormat": "CycloneDX",
+	"specVersion": "1.4",
+	"version": 1,
+	"metadata": {
+		"timestamp": "2023-09-01T15:54:21.462Z",
+		"component": {
+			"group": "pom-with-deps-no-ignore",
+			"name": "pom-with-dependency-not-ignored-for-tests",
+			"version": "0.0.1",
+			"purl": "pkg:maven/pom-with-deps-no-ignore/[email protected]",
+			"type": "application",
+			"bom-ref": "pkg:maven/pom-with-deps-no-ignore/[email protected]"
+		}
+	},
+	"components": [
+		{
+			"group": "pom-with-deps-no-ignore",
+			"name": "pom-with-dependency-not-ignored-for-tests",
+			"version": "0.0.1",
+			"purl": "pkg:maven/pom-with-deps-no-ignore/[email protected]",
+			"type": "application",
+			"bom-ref": "pkg:maven/pom-with-deps-no-ignore/[email protected]"
+		},
+		{
+			"group": "com.fasterxml.jackson.core",
+			"name": "jackson-databind",
+			"version": "2.14.1",
+			"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+			"type": "library",
+			"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
+		},
+		{
+			"group": "com.fasterxml.jackson.core",
+			"name": "jackson-annotations",
+			"version": "2.14.1",
+			"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+			"type": "library",
+			"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
+		},
+		{
+			"group": "com.fasterxml.jackson.core",
+			"name": "jackson-core",
+			"version": "2.14.1",
+			"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+			"type": "library",
+			"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
+		},
+		{
+			"group": "org.infinispan.protostream",
+			"name": "protostream",
+			"version": "4.6.4.Final",
+			"purl": "pkg:maven/org.infinispan.protostream/[email protected]",
+			"type": "library",
+			"bom-ref": "pkg:maven/org.infinispan.protostream/[email protected]"
+		},
+		{
+			"group": "org.jboss.logging",
+			"name": "jboss-logging",
+			"version": "3.5.0.Final",
+			"purl": "pkg:maven/org.jboss.logging/[email protected]",
+			"type": "library",
+			"bom-ref": "pkg:maven/org.jboss.logging/[email protected]"
+		},
+		{
+			"group": "com.squareup",
+			"name": "protoparser",
+			"version": "4.0.3",
+			"purl": "pkg:maven/com.squareup/[email protected]",
+			"type": "library",
+			"bom-ref": "pkg:maven/com.squareup/[email protected]"
+		},
+		{
+			"group": "org.javassist",
+			"name": "javassist",
+			"version": "3.29.1-GA",
+			"purl": "pkg:maven/org.javassist/[email protected]",
+			"type": "library",
+			"bom-ref": "pkg:maven/org.javassist/[email protected]"
+		}
+	],
+	"dependencies": [
+		{
+			"ref": "pkg:maven/pom-with-deps-no-ignore/[email protected]",
+			"dependsOn": [
+				"pkg:maven/com.fasterxml.jackson.core/[email protected]",
+				"pkg:maven/org.infinispan.protostream/[email protected]"
+			]
+		},
+		{
+			"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+			"dependsOn": [
+				"pkg:maven/com.fasterxml.jackson.core/[email protected]",
+				"pkg:maven/com.fasterxml.jackson.core/[email protected]"
+			]
+		},
+		{
+			"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+			"dependsOn": []
+		},
+		{
+			"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+			"dependsOn": []
+		},
+		{
+			"ref": "pkg:maven/org.infinispan.protostream/[email protected]",
+			"dependsOn": [
+				"pkg:maven/org.jboss.logging/[email protected]",
+				"pkg:maven/com.squareup/[email protected]",
+				"pkg:maven/com.fasterxml.jackson.core/[email protected]",
+				"pkg:maven/org.javassist/[email protected]"
+			]
+		},
+		{
+			"ref": "pkg:maven/org.jboss.logging/[email protected]",
+			"dependsOn": []
+		},
+		{
+			"ref": "pkg:maven/com.squareup/[email protected]",
+			"dependsOn": []
+		},
+		{
+			"ref": "pkg:maven/org.javassist/[email protected]",
+			"dependsOn": []
+		}
+	]
+}