Merge branch 'dev' into feat/deterministicCyclonedxJsonOutput

jfrog · Sep 9, 2024 · 5009db1 · 5009db1
2 parents 389f766 + fa329ae
commit 5009db1
Show file tree

Hide file tree

Showing 21 changed files with 247 additions and 311 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -12,32 +12,24 @@ jobs:
     steps:
       - name: Checkout Source
         uses: actions/checkout@v4
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.22.x
-          cache: false
-      - name: Static Code Analysis
-        uses: golangci/golangci-lint-action@v3
-        with:
-          args: |
-            --timeout 5m --out-${NO_FUTURE}format colored-line-number --enable errcheck,gosimple,govet,ineffassign,staticcheck,typecheck,unused,gocritic,asasalint,asciicheck,errchkjson,exportloopref,forcetypeassert,makezero,nilerr,unparam,unconvert,wastedassign,usestdlibvars 
-  
+
+      - name: Setup Go with cache
+        uses: jfrog/.github/actions/install-go-with-cache@main
+
+      - name: Run Go-Sec scanner
+        uses: jfrog/.github/actions/gosec-scanner@main
 
   Go-Sec:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Source
         uses: actions/checkout@v4
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.22.x
-          cache: false
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
-        with:
-          args: -exclude G107,G204,G301,G302,G304,G306 -tests -exclude-dir \.*test\.* ./...
+
+      - name: Setup Go with cache
+        uses: jfrog/.github/actions/install-go-with-cache@main
+
+      - name: Run golangci lint
+        uses: jfrog/.github/actions/golangci-lint@main
 
   ShellCheck:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -10,26 +10,10 @@ jobs:
   CLAssistant:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions-ecosystem/action-regex-match@v2
-        id: sign-or-recheck
+      - name: Run CLA Check
+        uses: jfrog/.github/actions/cla@main
         with:
-          text: ${{ github.event.comment.body }}
-          regex: '\s*(I have read the CLA Document and I hereby sign the CLA)|(recheck)\s*'
-
-      - name: "CLA Assistant"
-        if: ${{ steps.sign-or-recheck.outputs.match != '' || github.event_name == 'pull_request_target' }}
-        # Alpha Release
-        uses: cla-assistant/[email protected]
-        env:
-          # Generated and maintained by GitHub
+          event_comment_body: ${{ github.event.comment.body }}
+          event_name: ${{ github.event_name }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # JFrog organization secret
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_SIGN_TOKEN }}
-        with:
-          path-to-signatures: 'signed_clas.json'
-          path-to-document: 'https://jfrog.com/cla/'
-          remote-organization-name: 'jfrog'
-          remote-repository-name: 'jfrog-signed-clas'
-          # branch should not be protected
-          branch: 'master'
-          allowlist: bot*
+          CLA_SIGN_TOKEN: ${{ secrets.CLA_SIGN_TOKEN }}
diff --git a/.github/workflows/frogbot-scan-and-fix.yml b/.github/workflows/frogbot-scan-and-fix.yml
@@ -19,11 +19,8 @@ jobs:
         with:
           ref: ${{ matrix.branch }}
 
-      # Install prerequisites
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.22.x
+      - name: Setup Go with cache
+        uses: jfrog/.github/actions/install-go-with-cache@main
 
       - uses: jfrog/frogbot@v2
         env:

diff --git a/.github/workflows/frogbot-scan-pr.yml b/.github/workflows/frogbot-scan-pr.yml
@@ -12,11 +12,8 @@ jobs:
     # "frogbot" GitHub environment can approve the pull request to be scanned.
     environment: frogbot
     steps:
-      # Install prerequisites
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.22.x
+      - name: Setup Go with cache
+        uses: jfrog/.github/actions/install-go-with-cache@main
 
       - uses: jfrog/frogbot@v2
         env:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -36,11 +36,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.22.x
-
       - name: Setup Python3
         uses: actions/setup-python@v5
         with:
@@ -50,17 +45,13 @@ jobs:
         run: pip3 install pipenv
 
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
           check-latest: true
 
-      - name: Go Cache
-        uses: actions/cache@v4
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-go-
+      - name: Setup Go with cache
+        uses: jfrog/.github/actions/install-go-with-cache@main
 
       - name: Lint
         run: go vet ./...

diff --git a/build/golang.go b/build/golang.go
@@ -3,12 +3,12 @@ package build
 import (
 	"errors"
 	"fmt"
+	"github.com/jfrog/build-info-go/entities"
+	"github.com/jfrog/build-info-go/utils"
+	"github.com/jfrog/gofrog/crypto"
 	"path/filepath"
 	"strings"
 	"unicode"
-
-	"github.com/jfrog/build-info-go/entities"
-	"github.com/jfrog/build-info-go/utils"
 )
 
 type GoModule struct {
@@ -164,12 +164,12 @@ func (gm *GoModule) getPackagePathIfExists(cachePath, encodedDependencyId string
 func populateZip(packageId, zipPath string) (zipDependency entities.Dependency, err error) {
 	// Zip file dependency for the build-info
 	zipDependency = entities.Dependency{Id: packageId}
-	checksums, err := utils.GetFileChecksums(zipPath)
+	checksums, err := crypto.GetFileChecksums(zipPath)
 	if err != nil {
 		return
 	}
 	zipDependency.Type = "zip"
-	zipDependency.Checksum = entities.Checksum{Sha1: checksums[utils.SHA1], Md5: checksums[utils.MD5], Sha256: checksums[utils.SHA256]}
+	zipDependency.Checksum = entities.Checksum{Sha1: checksums[crypto.SHA1], Md5: checksums[crypto.MD5], Sha256: checksums[crypto.SHA256]}
 	return
 }
 

diff --git a/build/gradle.go b/build/gradle.go
@@ -21,8 +21,8 @@ const (
 	gradleExtractorFileName           = "build-info-extractor-gradle-%s-uber.jar"
 	gradleInitScriptTemplate          = "gradle.init"
 	gradleExtractorRemotePath         = "org/jfrog/buildinfo/build-info-extractor-gradle/%s"
-	gradleExtractor4DependencyVersion = "4.33.13"
-	gradleExtractor5DependencyVersion = "5.2.0"
+	gradleExtractor4DependencyVersion = "4.33.22"
+	gradleExtractor5DependencyVersion = "5.2.5"
 	projectPropertiesFlag             = "-P"
 	systemPropertiesFlag              = "-D"
 )

diff --git a/build/maven.go b/build/maven.go
@@ -12,6 +12,7 @@ import (
 	"strings"
 
 	"github.com/jfrog/build-info-go/utils"
+	"golang.org/x/term"
 )
 
 const (
@@ -20,7 +21,7 @@ const (
 	classworldsConfFileName         = "classworlds.conf"
 	PropertiesTempFolderName        = "properties"
 	MavenExtractorRemotePath        = "org/jfrog/buildinfo/build-info-extractor-maven3/%s"
-	MavenExtractorDependencyVersion = "2.41.16"
+	MavenExtractorDependencyVersion = "2.41.23"
 
 	ClassworldsConf = `main is org.apache.maven.cli.MavenCli from plexus.core
 
@@ -43,6 +44,8 @@ type MavenModule struct {
 	extractorDetails *extractorDetails
 	// A pipe to write the maven extractor output to.
 	outputWriter io.Writer
+	// Path to the build info temp file that will be generated by the maven extractor.
+	buildInfoPath string
 }
 
 // Maven extractor is the engine for calculating the project dependencies.
@@ -111,6 +114,12 @@ func (mm *MavenModule) SetMavenOpts(mavenOpts ...string) {
 	mm.extractorDetails.mavenOpts = mavenOpts
 }
 
+// Returns the path to the build info generated by the maven extractor.
+// This file is a tempfile that can be consumed to generated a build info object.
+func (mm *MavenModule) GetGeneratedBuildInfoPath() string {
+	return mm.buildInfoPath
+}
+
 func (mm *MavenModule) createMvnRunConfig() (*mvnRunConfig, error) {
 	var javaExecPath string
 	mavenHome, err := mm.loadMavenHome()
@@ -133,11 +142,11 @@ func (mm *MavenModule) createMvnRunConfig() (*mvnRunConfig, error) {
 	if len(plexusClassworlds) != 1 {
 		return nil, errors.New("couldn't find plexus-classworlds-x.x.x.jar in Maven installation path, please check M2_HOME environment variable")
 	}
-	buildInfoPath, err := createEmptyBuildInfoFile(mm.containingBuild)
+	mm.buildInfoPath, err = createEmptyBuildInfoFile(mm.containingBuild)
 	if err != nil {
 		return nil, err
 	}
-	extractorProps, err := utils.CreateExtractorPropsFile(mm.extractorDetails.propsDir, buildInfoPath, mm.containingBuild.buildName, mm.containingBuild.buildNumber, mm.containingBuild.buildTimestamp, mm.containingBuild.projectKey, mm.extractorDetails.props)
+	extractorProps, err := utils.CreateExtractorPropsFile(mm.extractorDetails.propsDir, mm.buildInfoPath, mm.containingBuild.buildName, mm.containingBuild.buildNumber, mm.containingBuild.buildTimestamp, mm.containingBuild.projectKey, mm.extractorDetails.props)
 	if err != nil {
 		return nil, err
 	}
@@ -332,15 +341,41 @@ func (config *mvnRunConfig) SetOutputWriter(outputWriter io.Writer) *mvnRunConfi
 	return config
 }
 
-func (config *mvnRunConfig) runCmd() error {
+func (config *mvnRunConfig) runCmd() (err error) {
 	command := config.GetCmd()
-	command.Stderr = os.Stderr
+	errBuffer := bytes.NewBuffer([]byte{})
+	multiWriter := io.MultiWriter(os.Stderr, errBuffer)
+	command.Stderr = multiWriter
 	if config.outputWriter == nil {
 		command.Stdout = os.Stderr
 	} else {
 		command.Stdout = config.outputWriter
 	}
 	command.Dir = config.workspace
+	addColorToCmdOutput(command)
 	config.logger.Info("Running mvn command:", strings.Join(command.Args, " "))
-	return command.Run()
+
+	err = command.Run()
+	if err != nil {
+		if utils.IsForbiddenOutput(utils.Maven, errBuffer.String()) {
+			err = errors.Join(utils.NewForbiddenError(), err)
+		}
+	}
+	return
+}
+
+// To always have color in Maven's output, add "-Dstyle.color=always" to the command line arguments
+func addColorToCmdOutput(command *exec.Cmd) {
+	if term.IsTerminal(int(os.Stderr.Fd())) {
+		shouldAddColor := true
+		for _, arg := range command.Args {
+			if strings.Contains(arg, "-Dstyle.color") {
+				shouldAddColor = false
+				break
+			}
+		}
+		if shouldAddColor {
+			command.Args = append(command.Args, "-Dstyle.color=always")
+		}
+	}
 }
diff --git a/build/maven_test.go b/build/maven_test.go
@@ -8,7 +8,9 @@ import (
 	"github.com/jfrog/build-info-go/tests"
 	"github.com/jfrog/build-info-go/utils"
 	"os"
+	"os/exec"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -127,3 +129,54 @@ func TestGetExecutableName(t *testing.T) {
 		assert.Equal(t, result, mvnHome)
 	}
 }
+
+func TestAddColorToCmdOutput(t *testing.T) {
+	testCases := []struct {
+		name           string
+		initialArgs    []string
+		expectedResult string
+		colorArgExist  bool
+	}{
+		{
+			name:          "Not a terminal, shouldn't add color",
+			initialArgs:   []string{"mvn"},
+			colorArgExist: false,
+		},
+		{
+			name:           "Terminal supports color and existing color argument",
+			initialArgs:    []string{"mvn", "-Dstyle.color=always"},
+			expectedResult: "Dstyle.color=always",
+			colorArgExist:  true,
+		},
+		{
+			name:           "Terminal supports color and existing color argument",
+			initialArgs:    []string{"mvn", "-Dstyle.color=never"},
+			expectedResult: "Dstyle.color=never",
+			colorArgExist:  true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Mock terminal support
+
+			// Create a mock exec.Cmd object
+			cmd := exec.Command(tc.initialArgs[0], tc.initialArgs[1:]...)
+
+			// Call the function to test
+			addColorToCmdOutput(cmd)
+
+			// Check if the argument was added
+			containsColorArg := false
+			for _, arg := range cmd.Args {
+				if strings.Contains(arg, "Dstyle.color") {
+					if strings.Contains(arg, tc.expectedResult) {
+						containsColorArg = true
+						break
+					}
+				}
+			}
+			assert.Equal(t, tc.colorArgExist, containsColorArg)
+		})
+	}
+}
diff --git a/build/utils/dotnet/dependencies/assetsjson.go b/build/utils/dotnet/dependencies/assetsjson.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	buildinfo "github.com/jfrog/build-info-go/entities"
 	"github.com/jfrog/build-info-go/utils"
+	"github.com/jfrog/gofrog/crypto"
 	"os"
 	"path/filepath"
 	"strings"
@@ -111,7 +112,7 @@ func (assets *assets) getAllDependencies(log utils.Log) (map[string]*buildinfo.D
 			}
 			return nil, errors.New("The file " + nupkgFilePath + " doesn't exist in the NuGet cache directory.")
 		}
-		fileDetails, err := utils.GetFileDetails(nupkgFilePath, true)
+		fileDetails, err := crypto.GetFileDetails(nupkgFilePath, true)
 		if err != nil {
 			return nil, err
 		}