Merge pull request #14 from advanced-security/multi-module

Multi module support, maven wrapper support, improvements in matching and reporting the source file for the dependencies in the repository and dependency graph
advanced-security · Feb 22, 2023 · 72bdd87 · 72bdd87
2 parents 0b9cd8f + c419f57
commit 72bdd87
Show file tree

Hide file tree

Showing 41 changed files with 4,295 additions and 4,032 deletions.
diff --git a/.devcontainer/install_maven.sh b/.devcontainer/install_maven.sh
@@ -5,7 +5,7 @@ echo -x
 JDK_VERSION="18.0.2.1"
 JDK_INSTALLER="/tmp/openjdk.tar.gz"
 
-MVN_VERSION="3.8.6"
+MVN_VERSION="3.9.0"
 MVN_INSTALLER="/tmp/mvn.tar.gz"
 
 wget https://download.java.net/java/GA/jdk${JDK_VERSION}/db379da656dc47308e138f21b33976fa/1/GPL/openjdk-${JDK_VERSION}_linux-x64_bin.tar.gz -O ${JDK_INSTALLER}

diff --git a/.github/workflows/publish_executables.yml b/.github/workflows/publish_executables.yml
@@ -0,0 +1,24 @@
+name: Publish Executables
+
+on:
+  workflow_dispatch:
+  push:
+
+jobs:
+  publish:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Build executables
+        run: |
+          npm run base-build
+          npm run build-exe
+
+      - name: Attach artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: executables
+          path: cli/*
diff --git a/.gitignore b/.gitignore
@@ -3,4 +3,5 @@ lib
 node_modules
 target
 
-runtime
+runtime
+cli
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -4,23 +4,5 @@
   // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
   "version": "0.2.0",
   "configurations": [
-<<<<<<< HEAD
-    {
-      "type": "node",
-      "request": "launch",
-      "name": "Launch Program",
-      "skipFiles": [
-        "<node_internals>/**"
-      ],
-      "program": "${workspaceFolder}/node_modules/.bin/mocha",
-      "args": [
-        "-r",
-        "ts-node/register",
-        "--colors",
-        "${workspaceFolder}/src/depgraph.test.ts"
-      ],
-    }
-=======
->>>>>>> 4b5ca60 (Initial commit)
   ]
 }
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -1,26 +1,4 @@
 {
-<<<<<<< HEAD
-    "debug.onTaskErrors": "showErrors",
-    "files.trimTrailingWhitespace": true,
-    "editor.tabSize": 2,
-    "editor.insertSpaces": true,
-    "editor.detectIndentation": false,
-    "[javascript]": {
-      "editor.tabSize": 2
-    },
-    "[json]": {
-      "editor.tabSize": 2
-    },
-    "[yaml]": {
-      "editor.tabSize": 2
-    },
-    "[html]": {
-      "editor.tabSize": 2
-    },
-    // GitHub Codespace Theme
-    "workbench.colorTheme": "GitHub Dark Dimmed"
-  }
-=======
   "debug.onTaskErrors": "showErrors",
   "files.trimTrailingWhitespace": true,
   "editor.tabSize": 2,
@@ -41,8 +19,6 @@
   // GitHub Codespace Theme
   "workbench.colorTheme": "GitHub Dark Dimmed",
   "jest.autoRun": {
-    "watch": false,
-    "onSave": "test-file"
+    "watch": false
   }
-}
->>>>>>> 4b5ca60 (Initial commit)
+}
diff --git a/README.md b/README.md
@@ -2,46 +2,58 @@
 
 This is a GitHub Action that will generate a complete dependency graph for a Maven project and submit the graph to the GitHub repository so that the graph is complete and includes all the transitive dependencies.
 
-The action will invoke maven using the `com.github.ferstl:depgraph-maven-plugin:4.0.1` plugin to generate JSON output of the complete dependency graph, which is then processed and submitted using the [Dependency Submission Toolkit](https://github.com/github/dependency-submission-toolkit) to the GitHub repository.
+The action will invoke maven using the `com.github.ferstl:depgraph-maven-plugin:4.0.2` plugin to generate JSON output of the complete dependency graph, which is then processed and submitted using the [Dependency Submission Toolkit](https://github.com/github/dependency-submission-toolkit) to the GitHub repository.
 
 > **Warning** The dependency submission APIs and toolkit are still currently in beta and as such subject to changes in future releases.
 
 
 ## Usage
 
+As of version `3.0.0` this action now support Maven multi-module projects as well as additional Maven configuration parameters.
+
+
 ### Pre-requisites
-For this action to work properly, you must have the Maven available on PATH (`mvn`) and configured to be able to access and pull your dependencies from whatever sources you have defined (i.e. a properly configured settings.xml or all details provided in the POM).
+For this action to work properly, you must have the Maven available on PATH (`mvn`) or using a `mvnw` Maven wrapper in your maven project directory. Maven will need to be configured to be able to access and pull your dependencies from whatever sources you have defined (i.e. a properly configured `settings.xml` or all details provided in the POM).
+
+Custom maven `settings.xml` can now be specified as an input parameter to the action.
+
 
 ### Inputs
 
 * `directory` - The directory that contains the `pom.xml` that will be used to generate the dependency graph from. Defaults to the `github.workspace` which is where the source will check out to by default when using `actions/checkout` .
 
 * `token` - The GitHub token that will be used to submit the generated dependency snapshot to the repository. Defaults to the `github.token` from the actions environment.
 
+* `settings-file` - An optional path to a Maven settings.xml file that you want to use to provide additional configuration to Maven.
+
+* `ingore-maven-wrapper` - An optional `true`/`false` flag parameter to ignore the Maven wrapper (if present) in the maven project directory and instead use the version of Maven from the `PATH`. This is set to `false` by default to use the wrapper if one is present.
+
+* `maven-args` - An optional string value (space separated) options to pass to the maven command line when generating the dependency snapshot. This is empty by default.
+
+* `snapshot-include-file-name`: Optional flag to control whether or no the path and file name of the pom.xml is provided with the snapshot submission. Defaults to `true` so as to create a link to the repository file from the dependency tree view, but at the cost of losing the POM `artifactId` when it renders.
+
+* `snapshot-dependency-file-name`: An optional user control file path to the POM file, requires `snapshot-include-file-name` to be `true` for the value to be submitted.
+
 
 ## Examples
 
 Generating and submitting a dependency snapshot using the defaults:
 
 ```
 - name: Submit Dependency Snapshot
-  uses: advanced-security/maven-dependency-submission-action@v1
+  uses: advanced-security/maven-dependency-submission-action@v3
 ```
 
 Upon success it will generate a snapshot captured from Maven POM like;
 ![Screenshot 2022-08-15 at 09 33 47](https://user-images.githubusercontent.com/681306/184603264-3cd69fda-75ff-4a46-b014-630acab60fab.png)
 
 
-## Limitations
-
-Currently the action is limited to single module Maven projects, with a future update that will add support for multi-module based projects.
-
 
 ## Command Line Usage
 
-There are experimental command line clients, Linux only for now that will provide the same functionality as the GitHub Action but can be embedded into your existing CI tooling and invoked from the commandline to upload a dpendency snapshot.
+There are experimental command line clients, Linux only for now that will provide the same functionality as the GitHub Action but can be embedded into your existing CI tooling and invoked from the commandline to upload a dependency snapshot.
 
-You can obtain the executables from the [cli](./cli) directory of the repository for now.
+You can obtain the executables from the latest actions workflow run https://github.com/advanced-security/maven-dependency-submission-action/actions/workflows/publish_executables.yml.
 
 ### Parameters
 

diff --git a/action.yml b/action.yml
@@ -11,6 +11,30 @@ inputs:
     type: string
     default: ${{ github.workspace }}
 
+  settings-file:
+    description: Optional path to a Maven settings.xml file for the dependencies to be resolved
+    type: string
+
+  ignore-maven-wrapper:
+    description: Flag for optionally ignoring any maven wrapper files (mvnw) and instead rely on the PATH provided mvn
+    type: boolean
+    default: false
+
+  maven-args:
+    description: Additional maven arguments to add to the command line invocation of maven when it generates the dependency snapshot
+    type: string
+    default: ''
+
+  snapshot-include-file-name:
+    description: Optionally include the file name in the dependency snapshot report to GitHub. This is required to be true if you want the results in the dependency tree to have a working link.
+    type: boolean
+    default: true
+
+  snapshot-dependency-file-name:
+    description: An optional override to specify the path to the file in the repository that the snapshot should be associated with.
+    type: string
+    required: false
+
   token:
     description: The GitHub token to use to submit the depedency snapshot to the repository
     type: string

diff --git a/cli/maven-dependency-submission-linux-x64 b/cli/maven-dependency-submission-linux-x64