Skip to content

Commit

Permalink
Add p2-aware model converter for CycloneDX SBOM generation
Browse files Browse the repository at this point in the history
  • Loading branch information
ptziegler committed Jan 7, 2024
1 parent 963075e commit bf4b343
Show file tree
Hide file tree
Showing 17 changed files with 675 additions and 2 deletions.
3 changes: 2 additions & 1 deletion pom.xml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
- Copyright (c) 2008, 2022 Sonatype Inc. and others.
- Copyright (c) 2008, 2024 Sonatype Inc. and others.
- All rights reserved. This program and the accompanying materials
- are made available under the terms of the Eclipse Public License v1.0
- which accompanies this distribution, and is available at
Expand Down Expand Up @@ -537,6 +537,7 @@
<module>tycho-ds-plugin</module>
<module>tycho-buildtimestamp-jgit</module>
<module>tycho-baseline-plugin</module>
<module>tycho-sbom</module>
<!-- surefire -->
<module>tycho-surefire</module>
<!-- release -->
Expand Down
8 changes: 7 additions & 1 deletion tycho-its/pom.xml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
- Copyright (c) 2008, 2022 Sonatype Inc. and others.
- Copyright (c) 2008, 2024 Sonatype Inc. and others.
- All rights reserved. This program and the accompanying materials
- are made available under the terms of the Eclipse Public License v1.0
- which accompanies this distribution, and is available at
Expand Down Expand Up @@ -214,6 +214,12 @@
<version>3.1.0</version>
<scope>test</scope>
</dependency>
<!-- sbom tests -->
<dependency>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-core-java</artifactId>
<version>8.0.3</version>
</dependency>

<!-- artifacts to be tested -->
<dependency>
Expand Down
8 changes: 8 additions & 0 deletions tycho-its/projects/sbom/.mvn/extensions.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<extensions>
<extension>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-build</artifactId>
<version>${tycho-version}</version>
</extension>
</extensions>
1 change: 1 addition & 0 deletions tycho-its/projects/sbom/.mvn/maven.config
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
-Dtycho-version=5.0.0-SNAPSHOT
1 change: 1 addition & 0 deletions tycho-its/projects/sbom/example.feature/build.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
bin.includes = feature.xml
23 changes: 23 additions & 0 deletions tycho-its/projects/sbom/example.feature/feature.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<?xml version="1.0" encoding="UTF-8"?>
<feature
id="example.feature"
label="Feature with SBOM"
version="1.0.0.20240107">

<description url="http://www.example.com/description">
[Enter Feature Description here.]
</description>

<copyright url="http://www.example.com/copyright">
[Enter Copyright Description here.]
</copyright>

<license url="http://www.example.com/license">
[Enter License Description here.]
</license>

<plugin
id="example.plugin"
version="0.0.0"/>

</feature>
11 changes: 11 additions & 0 deletions tycho-its/projects/sbom/example.plugin/META-INF/MANIFEST.MF
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: Plugin with SBOM
Bundle-SymbolicName: example.plugin
Bundle-Version: 1.0.0.20240107
Require-Bundle: org.eclipse.core.databinding;bundle-version="1.13.100",
org.eclipse.core.databinding.beans;bundle-version="1.10.100",
org.eclipse.core.databinding.observable;bundle-version="1.13.100",
org.eclipse.core.databinding.property;bundle-version="1.10.100"
Automatic-Module-Name: example.plugin
Bundle-RequiredExecutionEnvironment: JavaSE-17
4 changes: 4 additions & 0 deletions tycho-its/projects/sbom/example.plugin/build.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
source.. = src/
output.. = bin/
bin.includes = META-INF/,\
.
71 changes: 71 additions & 0 deletions tycho-its/projects/sbom/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>tycho-demo</groupId>
<artifactId>sbom</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>pom</packaging>

<properties>
<tycho-version>5.0.0-SNAPSHOT</tycho-version>
<tycho.sbom.url>https://www.example.p2.repo/</tycho.sbom.url>
</properties>

<modules>
<module>example.feature</module>
<module>example.plugin</module>
<module>product</module>
<module>repository</module>
</modules>

<build>
<plugins>
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-maven-plugin</artifactId>
<version>${tycho-version}</version>
<extensions>true</extensions>
</plugin>
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>target-platform-configuration</artifactId>
<version>${tycho-version}</version>
<configuration>
<target>
<file>../target-definition.target</file>
</target>
</configuration>
</plugin>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.9</version>
<configuration>
<includeTestScope>true</includeTestScope>
</configuration>
<executions>
<execution>
<goals>
<goal>makeBom</goal>
</goals>
</execution>
</executions>
<dependencies>
<dependency>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-sbom</artifactId>
<version>${tycho-version}</version>
</dependency>
</dependencies>
</plugin>
</plugins>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-p2-director-plugin</artifactId>
<version>${tycho-version}</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
29 changes: 29 additions & 0 deletions tycho-its/projects/sbom/product/example.product
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<?xml version="1.0" encoding="UTF-8"?>
<?pde version="3.5"?>

<product uid="example" version="1.0.0.20240107" type="mixed" includeLaunchers="true" autoIncludeRequirements="false">

<configIni use="default">
</configIni>

<launcherArgs>
<vmArgsMac>-XstartOnFirstThread -Dorg.eclipse.swt.internal.carbon.smallFonts
</vmArgsMac>
</launcherArgs>

<plugins>
<plugin id="example.plugin"/>
<plugin id="org.eclipse.core.databinding"/>
<plugin id="org.eclipse.core.databinding.beans"/>
<plugin id="org.eclipse.core.databinding.observable"/>
<plugin id="org.eclipse.core.databinding.property"/>
<plugin id="org.eclipse.equinox.common"/>
<plugin id="org.eclipse.osgi"/>
</plugins>

<features>
<feature id="example.feature" installMode="root"/>
</features>


</product>
5 changes: 5 additions & 0 deletions tycho-its/projects/sbom/repository/category.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<site>
<feature id="example.feature"/>
<bundle id="example.plugin"/>
</site>
11 changes: 11 additions & 0 deletions tycho-its/projects/sbom/target-definition.target
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<?pde version="3.8"?>
<target name="target-definition">
<locations>
<location includeAllPlatforms="false" includeConfigurePhase="true" includeMode="planner" includeSource="true" type="InstallableUnit">
<repository location="https://download.eclipse.org/releases/2023-12/"/>
<unit id="org.eclipse.sdk.feature.group" version="0.0.0"/>
<unit id="org.eclipse.equinox.sdk.feature.group" version="0.0.0"/>
</location>
</locations>
</target>
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
/*******************************************************************************
* Copyright (c) 2024 Patrick Ziegler and others.
* This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
* https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*
* Contributors:
* Patrick Ziegler - initial API and implementation
*******************************************************************************/
package org.eclipse.tycho.test.reactor;

import static org.junit.Assert.fail;
import static org.junit.jupiter.api.Assertions.assertEquals;

import java.io.File;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.function.Predicate;

import org.apache.maven.it.Verifier;
import org.cyclonedx.exception.ParseException;
import org.cyclonedx.model.Bom;
import org.cyclonedx.model.Dependency;
import org.cyclonedx.parsers.Parser;
import org.cyclonedx.parsers.XmlParser;
import org.eclipse.tycho.test.AbstractTychoIntegrationTest;
import org.junit.Before;
import org.junit.Test;

public class SBOMCreationTest extends AbstractTychoIntegrationTest {

private Verifier verifier;

@Before
public void setUp() throws Exception {
verifier = getVerifier("sbom", false);
}

@Test
public void testBuildVerify() throws Exception {
verifier.executeGoal("verify");
verifyErrorFreeLog(verifier);
verifyBundle("example.plugin");
verifyFeature("example.feature");
verifyRepository("repository");
verifyProduct("product");
}

private void verifyBundle(String projectName) throws Exception {
String bomPath = getBomPath(projectName);
verifier.verifyFilePresent(bomPath);

Bom bom = getBom(bomPath);
List<Dependency> dependencies = bom.getDependencies();
assertPluginDependencies(dependencies);
assertEquals(dependencies.size(), 7);
}

private void verifyFeature(String projectName) throws Exception {
String bomPath = getBomPath(projectName);
verifier.verifyFilePresent(bomPath);

Bom bom = getBom(bomPath);
List<Dependency> dependencies = bom.getDependencies();
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=org.eclipse.update.feature&location=https://www.example.p2.repo/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://www.example.p2.repo/");
assertPluginDependencies(dependencies);
assertEquals(dependencies.size(), 8);
}

private void verifyRepository(String projectName) throws Exception {
String bomPath = getBomPath(projectName);
verifier.verifyFilePresent(bomPath);

Bom bom = getBom(bomPath);
List<Dependency> dependencies = bom.getDependencies();
assertDependency(dependencies,
"pkg:maven/tycho-demo/[email protected]?type=eclipse-repository");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=org.eclipse.update.feature&location=https://www.example.p2.repo/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://www.example.p2.repo/");
assertPluginDependencies(dependencies);
assertEquals(dependencies.size(), 9);

}

private void verifyProduct(String projectName) throws Exception {
String bomPath = getBomPath(projectName);
verifier.verifyFilePresent(bomPath);

Bom bom = getBom(bomPath);
List<Dependency> dependencies = bom.getDependencies();
assertDependency(dependencies, //
"pkg:maven/tycho-demo/[email protected]?type=eclipse-repository");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=org.eclipse.update.feature&location=https://www.example.p2.repo/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://www.example.p2.repo/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://download.eclipse.org/releases/2023-12/");
assertDependency(dependencies,
"pkg:p2/org.eclipse.equinox.launcher.gtk.linux.x86_64@1.2.800.v20231003-1442?classifier=osgi.bundle&location=https://download.eclipse.org/releases/2023-12/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=org.eclipse.update.feature&location=https://download.eclipse.org/releases/2023-12/");
assertDependency(dependencies,
"pkg:maven/p2.p2.installable.unit/org.eclipse.equinox.executable_root.gtk.linux.x86_64@3.8.2300.v20231106-1826?type=p2-installable-unit");
assertPluginDependencies(dependencies);
assertEquals(dependencies.size(), 13);
}

/**
* Tycho dependencies are flat. Therefore all artifacts depending on the test
* plugin also depend on its required bundles.
*
* @param dependencies A list of all BOM dependencies of the current artifact.
*/
private void assertPluginDependencies(List<Dependency> dependencies) {
// Tycho dependencies are flat
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://download.eclipse.org/releases/2023-12/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://download.eclipse.org/releases/2023-12/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://download.eclipse.org/releases/2023-12/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://download.eclipse.org/releases/2023-12/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://download.eclipse.org/releases/2023-12/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://download.eclipse.org/releases/2023-12/");
assertDependency(dependencies,
"pkg:p2/[email protected]?classifier=osgi.bundle&location=https://download.eclipse.org/releases/2023-12/");
}

private void assertDependency(List<Dependency> dependencies, String ref) {
Predicate<Dependency> matcher = dependency -> URLDecoder.decode(dependency.getRef(), StandardCharsets.UTF_8)
.equals(ref);
if (dependencies.stream().noneMatch(matcher)) {
fail("No dependency found matching: " + ref);
}
}

private String getBomPath(String projectName) {
return projectName + "/target/bom.xml";
}

private Bom getBom(String bomPath) throws ParseException {
Parser parser = new XmlParser();
File bom = new File(verifier.getBasedir(), bomPath);
return parser.parse(bom);
}
}
8 changes: 8 additions & 0 deletions tycho-sbom/.settings/org.eclipse.jdt.core.prefs
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
eclipse.preferences.version=1
org.eclipse.jdt.core.compiler.codegen.targetPlatform=17
org.eclipse.jdt.core.compiler.compliance=17
org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled
org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning
org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=ignore
org.eclipse.jdt.core.compiler.release=disabled
org.eclipse.jdt.core.compiler.source=17
Loading

0 comments on commit bf4b343

Please sign in to comment.