feat: improved java maven property resolution (#2769)

Signed-off-by: Gijs Calis <51088038+GijsCalis@users.noreply.github.com> Signed-off-by: Keith Zantow <kzantow@gmail.com> Co-authored-by: Keith Zantow <kzantow@gmail.com>
anchore · Aug 5, 2024 · 9d40d11 · 9d40d11
1 parent cc15edc
commit 9d40d11
Show file tree

Hide file tree

Showing 34 changed files with 3,006 additions and 1,516 deletions.
diff --git a/cmd/syft/internal/options/catalog.go b/cmd/syft/internal/options/catalog.go
@@ -64,6 +64,7 @@ func DefaultCatalog() Catalog {
 		Package:       defaultPackageConfig(),
 		LinuxKernel:   defaultLinuxKernelConfig(),
 		Golang:        defaultGolangConfig(),
+		Java:          defaultJavaConfig(),
 		File:          defaultFileConfig(),
 		Relationships: defaultRelationshipsConfig(),
 		Source:        defaultSourceConfig(),
@@ -150,6 +151,8 @@ func (cfg Catalog) ToPackagesConfig() pkgcataloging.Config {
 			GuessUnpinnedRequirements: cfg.Python.GuessUnpinnedRequirements,
 		},
 		JavaArchive: java.DefaultArchiveCatalogerConfig().
+			WithUseMavenLocalRepository(cfg.Java.UseMavenLocalRepository).
+			WithMavenLocalRepositoryDir(cfg.Java.MavenLocalRepositoryDir).
 			WithUseNetwork(cfg.Java.UseNetwork).
 			WithMavenBaseURL(cfg.Java.MavenURL).
 			WithArchiveTraversal(archiveSearch, cfg.Java.MaxParentRecursiveDepth),

diff --git a/cmd/syft/internal/options/java.go b/cmd/syft/internal/options/java.go
@@ -1,24 +1,46 @@
 package options
 
-import "github.com/anchore/clio"
+import (
+	"github.com/anchore/clio"
+	"github.com/anchore/syft/syft/pkg/cataloger/java"
+)
 
 type javaConfig struct {
 	UseNetwork              bool   `yaml:"use-network" json:"use-network" mapstructure:"use-network"`
+	UseMavenLocalRepository bool   `yaml:"use-maven-local-repository" json:"use-maven-local-repository" mapstructure:"use-maven-local-repository"`
+	MavenLocalRepositoryDir string `yaml:"maven-local-repository-dir" json:"maven-local-repository-dir" mapstructure:"maven-local-repository-dir"`
 	MavenURL                string `yaml:"maven-url" json:"maven-url" mapstructure:"maven-url"`
 	MaxParentRecursiveDepth int    `yaml:"max-parent-recursive-depth" json:"max-parent-recursive-depth" mapstructure:"max-parent-recursive-depth"`
 }
 
+func defaultJavaConfig() javaConfig {
+	def := java.DefaultArchiveCatalogerConfig()
+
+	return javaConfig{
+		UseNetwork:              def.UseNetwork,
+		MaxParentRecursiveDepth: def.MaxParentRecursiveDepth,
+		UseMavenLocalRepository: def.UseMavenLocalRepository,
+		MavenLocalRepositoryDir: def.MavenLocalRepositoryDir,
+		MavenURL:                def.MavenBaseURL,
+	}
+}
+
 var _ interface {
 	clio.FieldDescriber
 } = (*javaConfig)(nil)
 
 func (o *javaConfig) DescribeFields(descriptions clio.FieldDescriptionSet) {
-	descriptions.Add(&o.UseNetwork, `enables Syft to use the network to fill in more detailed information about artifacts
-currently this enables searching maven-url for license data
-when running across pom.xml files that could have more information, syft will
-explicitly search maven for license information by querying the online pom when this is true
-this option is helpful for when the parent pom has more data,
-that is not accessible from within the final built artifact`)
+	descriptions.Add(&o.UseNetwork, `enables Syft to use the network to fetch version and license information for packages when
+a parent or imported pom file is not found in the local maven repository.
+the pom files are downloaded from the remote Maven repository at 'maven-url'`)
 	descriptions.Add(&o.MavenURL, `maven repository to use, defaults to Maven central`)
-	descriptions.Add(&o.MaxParentRecursiveDepth, `depth to recursively resolve parent POMs`)
+	descriptions.Add(&o.MaxParentRecursiveDepth, `depth to recursively resolve parent POMs, no limit if <= 0`)
+	descriptions.Add(&o.UseMavenLocalRepository, `use the local Maven repository to retrieve pom files. When Maven is installed and was previously used
+for building the software that is being scanned, then most pom files will be available in this
+repository on the local file system. this greatly speeds up scans. when all pom files are available
+in the local repository, then 'use-network' is not needed.
+TIP: If you want to download all required pom files to the local repository without running a full
+build, run 'mvn help:effective-pom' before performing the scan with syft.`)
+	descriptions.Add(&o.MavenLocalRepositoryDir, `override the default location of the local Maven repository. 
+the default is the subdirectory '.m2/repository' in your home directory`)
 }
diff --git a/syft/file/license.go b/syft/file/license.go
@@ -21,7 +21,7 @@ type LicenseEvidence struct {
 func NewLicense(value string) License {
 	spdxExpression, err := license.ParseExpression(value)
 	if err != nil {
-		log.Trace("unable to parse license expression: %s, %w", value, err)
+		log.WithFields("error", err, "value", value).Trace("unable to parse license expression")
 	}
 
 	return License{

diff --git a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go
@@ -310,6 +310,11 @@ func TestFileParser(t *testing.T, fixturePath string, parser generic.Parser, exp
 	NewCatalogTester().FromFile(t, fixturePath).Expects(expectedPkgs, expectedRelationships).TestParser(t, parser)
 }
 
+func TestCataloger(t *testing.T, fixtureDir string, cataloger pkg.Cataloger, expectedPkgs []pkg.Package, expectedRelationships []artifact.Relationship) {
+	t.Helper()
+	NewCatalogTester().FromDirectory(t, fixtureDir).Expects(expectedPkgs, expectedRelationships).TestCataloger(t, cataloger)
+}
+
 func TestFileParserWithEnv(t *testing.T, fixturePath string, parser generic.Parser, env *generic.Environment, expectedPkgs []pkg.Package, expectedRelationships []artifact.Relationship) {
 	t.Helper()