fix: fix README.md, rename to IGNORE_PATTERN and update IgnorePatternDetector

soul2zimate · soul2zimate · commit 24e801ae4638 · 2025-11-17T08:18:45.000+08:00
diff --git a/README.md b/README.md
@@ -177,7 +177,10 @@ public class TrustifyExample {
 
 <h3>Excluding Packages</h3>
 <p>
-Excluding a package from any analysis can be achieved by marking the package for exclusion using either the <code>trustify-da-ignore</code> syntax or the legacy <code>exhortignore</code>.
+Excluding a package from any analysis can be achieved by marking the package for exclusion using either the <code>trustify-da-ignore</code> syntax.
+
+Although both `trustify-da-ignore` and `exhortignore` patterns work identically and can be used interchangeably. The `trustify-da-ignore` syntax is recommended for new projects, while `exhortignore` continues to be supported for backwards compatibility. You can gradually migrate your projects or use both patterns in the same manifest.
+
 </p>
 
 <ul>
@@ -220,19 +223,14 @@ Excluding a package from any analysis can be achieved by marking the package for
     "mongoose": "^5.9.18"
   },
   "trustify-da-ignore": [
-    "mongoose"
-  ],
-  "exhortignore": [
     "jsonwebtoken"
   ]
 }
 ```
-
-Both arrays can coexist in the same package.json file.
 </li>
 
 <li>
-<em>Golang</em> users can add comments in <em>go.mod</em>:
+<em>Golang</em> users can add in go.mod a comment with //trustify-da-ignore next to the package to be ignored, or to "piggyback" on existing comment ( e.g - //indirect) , for example:
 
 ```go
 module github.com/RHEcosystemAppEng/SaaSi/deployer
@@ -242,31 +240,31 @@ go 1.19
 require (
         github.com/gin-gonic/gin v1.9.1
         github.com/google/uuid v1.1.2
-        github.com/jessevdk/go-flags v1.5.0 //exhortignore
-        github.com/kr/pretty v0.3.1 //trustify-da-ignore
+        github.com/jessevdk/go-flags v1.5.0 //trustify-da-ignore
+        github.com/kr/pretty v0.3.1
         gopkg.in/yaml.v2 v2.4.0
         k8s.io/apimachinery v0.26.1
         k8s.io/client-go v0.26.1
 )
 
 require (
-        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
+        github.com/davecgh/go-spew v1.1.1 // indirect trustify-da-ignore
         github.com/emicklei/go-restful/v3 v3.9.0 // indirect
         github.com/go-logr/logr v1.2.3 // indirect trustify-da-ignore
 )
 ```
 </li>
 
 <li>
-<em>Python pip</em> users can add comments in <em>requirements.txt</em>:
+<em>Python pip</em> users can add in requirement text a comment with #trustify-da-ignore(or # trustify-da-ignore) to the right of the same artifact to be ignored, for example:
 
 ```properties
 anyio==3.6.2
 asgiref==3.4.1
 beautifulsoup4==4.12.2
 certifi==2023.7.22
 chardet==4.0.0
-click==8.0.4 #exhortignore
+click==8.0.4 #trustify-da-ignore
 contextlib2==21.6.0
 fastapi==0.75.1
 Flask==2.0.3
@@ -292,7 +290,8 @@ zipp==3.6.0
 </li>
 
 <li>
-<em>Gradle</em> users can add comments in <em>build.gradle</em>:
+<em>Gradle</em> users can add in build.gradle a comment with //trustify-da-ignore next to the package to be ignored:
+```build.gradle
 
 ```groovy
 plugins {
@@ -307,8 +306,7 @@ repositories {
 }
 
 dependencies {
-    implementation "groupId:artifactId:version" // exhortignore
-    implementation "anotherGroup:anotherArtifact:version" // trustify-da-ignore
+    implementation "groupId:artifactId:version" // trustify-da-ignore
 }
 
 test {
@@ -319,9 +317,6 @@ test {
 
 </ul>
 
-#### Migration from exhortignore to trustify-da-ignore
-Both `exhortignore` and `trustify-da-ignore` patterns work identically and can be used interchangeably. The `trustify-da-ignore` syntax is recommended for new projects, while `exhortignore` continues to be supported for backwards compatibility. You can gradually migrate your projects or use both patterns in the same manifest.
-
 #### Ignore Strategies - experimental
 
 You can specify the method to ignore dependencies in manifest (globally), by setting the environment variable `TRUSTIFY_DA_IGNORE_METHOD` to one of the following values:
diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java
@@ -278,7 +278,7 @@ private List<DependencyAggregator> getDependencies(final Path manifestPath) thro
         if (!Objects.isNull(dependencyAggregator)) {
           // if we hit an ignore comment, mark aggregator to be ignored
           if (reader.getEventType() == XMLStreamConstants.COMMENT
-              && IgnorePatternDetector.isIgnoreComment(reader.getText())) {
+              && isIgnoreComment(reader.getText())) {
             dependencyAggregator.ignored = true;
             continue;
           }
@@ -492,4 +492,17 @@ public static String normalizePath(String thePath) {
     }
     return result;
   }
+
+  /**
+   * Checks if a comment text exactly matches an ignore pattern. Used for XML comment detection in
+   * pom.xml files.
+   *
+   * @param commentText the comment text to check (will be stripped of whitespace)
+   * @return true if the comment exactly matches an ignore pattern
+   */
+  private boolean isIgnoreComment(String commentText) {
+    String stripped = commentText.strip();
+    return IgnorePatternDetector.IGNORE_PATTERN.equals(stripped)
+        || IgnorePatternDetector.LEGACY_IGNORE_PATTERN.equals(stripped);
+  }
 }
diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java
@@ -169,12 +169,26 @@ private void handleIgnoredDependencies(String manifestContent, Sbom sbom) {
     }
   }
 
+  /**
+   * Checks if a text line contains a Python pip ignore pattern. Handles both '#exhortignore' and
+   * '#trustify-da-ignore' with optional spacing.
+   *
+   * @param line the line to check
+   * @return true if the line contains a Python pip ignore pattern
+   */
+  private boolean containsPythonIgnorePattern(String line) {
+    return line.contains("#" + IgnorePatternDetector.IGNORE_PATTERN)
+        || line.contains("# " + IgnorePatternDetector.IGNORE_PATTERN)
+        || line.contains("#" + IgnorePatternDetector.LEGACY_IGNORE_PATTERN)
+        || line.contains("# " + IgnorePatternDetector.LEGACY_IGNORE_PATTERN);
+  }
+
   private Set<PackageURL> getIgnoredDependencies(String requirementsDeps) {
 
     String[] requirementsLines = requirementsDeps.split(System.lineSeparator());
     Set<PackageURL> collected =
         Arrays.stream(requirementsLines)
-            .filter(IgnorePatternDetector::containsPythonIgnorePattern)
+            .filter(this::containsPythonIgnorePattern)
             .map(PythonPipProvider::extractDepFull)
             .map(this::splitToNameVersion)
             .map(dep -> toPurl(dep[0], dep[1]))
diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java b/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java
@@ -18,9 +18,9 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.github.packageurl.PackageURL;
 import io.github.guacsec.trustifyda.providers.JavaScriptProvider;
+import io.github.guacsec.trustifyda.utils.IgnorePatternDetector;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -68,18 +68,18 @@ private Set<String> loadDependencies(JsonNode content) {
   }
 
   private Set<String> loadIgnored(JsonNode content) {
-    var names = new HashSet<String>();
-    if (content != null) {
-      processIgnoreArray(content, "exhortignore", names);
-      processIgnoreArray(content, "trustify-da-ignore", names);
+    if (content == null) {
+      return Collections.emptySet();
     }
-    return names.isEmpty() ? Collections.emptySet() : Collections.unmodifiableSet(names);
-  }
-
-  private void processIgnoreArray(JsonNode content, String key, Set<String> names) {
-    var ignore = (ArrayNode) content.get(key);
-    if (ignore != null && !ignore.isEmpty()) {
-      ignore.forEach(n -> names.add(n.asText()));
+    var node = content.get(IgnorePatternDetector.IGNORE_PATTERN);
+    if (node == null || node.isEmpty()) {
+      node = content.get(IgnorePatternDetector.LEGACY_IGNORE_PATTERN);
+    }
+    if (node != null && !node.isEmpty()) {
+      var names = new HashSet<String>();
+      node.forEach(n -> names.add(n.asText()));
+      return Collections.unmodifiableSet(names);
     }
+    return Collections.emptySet();
   }
 }
diff --git a/src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java b/src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java
@@ -23,7 +23,7 @@
 public class IgnorePatternDetector {
 
   public static final String LEGACY_IGNORE_PATTERN = "exhortignore";
-  public static final String NEW_IGNORE_PATTERN = "trustify-da-ignore";
+  public static final String IGNORE_PATTERN = "trustify-da-ignore";
 
   /**
    * Checks if a text line contains any ignore pattern (exhortignore or trustify-da-ignore). Used
@@ -33,32 +33,6 @@ public class IgnorePatternDetector {
    * @return true if the text contains any ignore pattern
    */
   public static boolean containsIgnorePattern(String text) {
-    return text.contains(LEGACY_IGNORE_PATTERN) || text.contains(NEW_IGNORE_PATTERN);
-  }
-
-  /**
-   * Checks if a comment text exactly matches an ignore pattern. Used for XML comment detection in
-   * pom.xml files.
-   *
-   * @param commentText the comment text to check (will be stripped of whitespace)
-   * @return true if the comment exactly matches an ignore pattern
-   */
-  public static boolean isIgnoreComment(String commentText) {
-    String stripped = commentText.strip();
-    return LEGACY_IGNORE_PATTERN.equals(stripped) || NEW_IGNORE_PATTERN.equals(stripped);
-  }
-
-  /**
-   * Checks if a text line contains a Python pip ignore pattern. Handles both '#exhortignore' and
-   * '#trustify-da-ignore' with optional spacing.
-   *
-   * @param line the line to check
-   * @return true if the line contains a Python pip ignore pattern
-   */
-  public static boolean containsPythonIgnorePattern(String line) {
-    return line.contains("#" + LEGACY_IGNORE_PATTERN)
-        || line.contains("# " + LEGACY_IGNORE_PATTERN)
-        || line.contains("#" + NEW_IGNORE_PATTERN)
-        || line.contains("# " + NEW_IGNORE_PATTERN);
+    return text.contains(LEGACY_IGNORE_PATTERN) || text.contains(IGNORE_PATTERN);
   }
 }
diff --git a/src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java b/src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java
diff --git a/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod b/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod
@@ -3,9 +3,9 @@ module github.com/devfile-samples/devfile-sample-go-basic
 go 1.19
 
 require(
-    github.com/labstack/echo/v4 v4.1.18-0.20201215153152-4422e3b66b9f //exhortignore
-    github.com/russellhaering/goxmldsig v1.1.0 //exhortignore
-    github.com/gin-gonic/gin v1.6.0 //exhortignore
+    github.com/labstack/echo/v4 v4.1.18-0.20201215153152-4422e3b66b9f //trustify-da-ignore
+    github.com/russellhaering/goxmldsig v1.1.0 //trustify-da-ignore
+    github.com/gin-gonic/gin v1.6.0 //trustify-da-ignore
     github.com/miekg/dns v1.0.4-0.20180125103619-43913f2f4fbd //trustify-da-ignore
     github.com/ipld/go-car v0.3.0 //trustify-da-ignore
     go.elastic.co/apm v1.11.0 //trustify-da-ignore
