Merge branch 'main' into TC-3969

Author: soul2zimate

src/main/java/io/github/guacsec/trustifyda/providers/BaseJavaProvider.java

@@ -23,9 +23,7 @@
 import io.github.guacsec.trustifyda.tools.Ecosystem;
 import java.nio.file.Path;
 import java.util.Arrays;
-import java.util.Map;
 import java.util.Objects;
-import java.util.TreeMap;
 
 public abstract class BaseJavaProvider extends Provider {
 
@@ -45,10 +43,10 @@ void parseDependencyTree(String src, int srcDepth, String[] lines, Sbom sbom, St
     int targetDepth = getDepth(target);
     while (targetDepth > srcDepth && index < lines.length) {
       if (targetDepth == srcDepth + 1) {
-        PackageURL from = parseDep(src);
-        PackageURL to = parseDep(target);
-        if (dependencyIsNotTestScope(from) && dependencyIsNotTestScope(to)) {
-          sbom.addDependency(from, to, scope);
+        DependencyAggregator from = parseDep(src);
+        DependencyAggregator to = parseDep(target);
+        if (!from.isTestDependency() && !to.isTestDependency()) {
+          sbom.addDependency(from.toPurl(), to.toPurl(), scope);
         }
       } else {
         String[] modifiedLines = Arrays.copyOfRange(lines, index, lines.length);
@@ -64,13 +62,7 @@ void parseDependencyTree(String src, int srcDepth, String[] lines, Sbom sbom, St
     }
   }
 
-  static boolean dependencyIsNotTestScope(PackageURL artifact) {
-    return (Objects.nonNull(artifact.getQualifiers())
-            && !artifact.getQualifiers().get("scope").equals("test"))
-        || Objects.isNull(artifact.getQualifiers());
-  }
-
-  PackageURL parseDep(String dep) {
+  DependencyAggregator parseDep(String dep) {
     // root package
     DependencyAggregator dependencyAggregator = new DependencyAggregator();
     // in case line in dependency tree text starts with a letter ( for root artifact).
@@ -81,7 +73,7 @@ PackageURL parseDep(String dep) {
       dependencyAggregator.artifactId = parts[1];
       dependencyAggregator.version = parts[3];
 
-      return dependencyAggregator.toPurl();
+      return dependencyAggregator;
     }
     int firstDash = dep.indexOf("-");
     String dependency = dep.substring(++firstDash).trim();
@@ -137,7 +129,7 @@ else if (parts.length == 6) {
           Integer.min(parts[parts.length - 1].indexOf(""), parts[parts.length - 1].indexOf("-"));
       dependencyAggregator.scope = parts[parts.length - 1].substring(0, endOfLine).trim();
     }
-    return dependencyAggregator.toPurl();
+    return dependencyAggregator;
   }
 
   int getDepth(String line) {
@@ -185,12 +177,7 @@ boolean isTestDependency() {
     PackageURL toPurl() {
       try {
         return new PackageURL(
-            Ecosystem.Type.MAVEN.getType(),
-            groupId,
-            artifactId,
-            version,
-            this.scope.equals("*") ? null : new TreeMap<>(Map.of("scope", this.scope)),
-            null);
+            Ecosystem.Type.MAVEN.getType(), groupId, artifactId, version, null, null);
       } catch (MalformedPackageURLException e) {
         throw new IllegalArgumentException("Unable to parse PackageURL", e);
       }

src/main/java/io/github/guacsec/trustifyda/providers/GradleProvider.java

@@ -307,7 +307,7 @@ private Sbom buildSbomFromTextFormat(
     Sbom sbom = SbomFactory.newInstance(Sbom.BelongingCondition.PURL, "sensitive");
     String root = getRoot(textFormatFile, propertiesMap);
 
-    PackageURL rootPurl = parseDep(root);
+    PackageURL rootPurl = parseDep(root).toPurl();
     sbom.addRoot(rootPurl, readLicenseFromManifest());
 
     List<String> runtimeConfig = extractLines(textFormatFile, RUNTIME_CLASSPATH);

src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java

@@ -177,7 +177,7 @@ private Sbom buildSbomFromTextFormat(Path textFormatFile) throws IOException {
     sbom.setCoordinateBasedMatching();
     List<String> lines = Files.readAllLines(textFormatFile);
     var root = lines.get(0);
-    var rootPurl = parseDep(root);
+    var rootPurl = parseDep(root).toPurl();
     sbom.addRoot(rootPurl, readLicenseFromManifest());
     lines.remove(0);
     String[] array = new String[lines.size()];

src/test/resources/tst_manifests/gradle-groovy/deps_with_duplicate_different_versions/expected_component_sbom.json

@@ -21,7 +21,7 @@
       "name" : "log4j",
       "version" : "1.2.17",
       "scope":"required",
-      "purl" : "pkg:maven/log4j/log4j@1.2.17?scope=compile"
+      "purl" : "pkg:maven/log4j/log4j@1.2.17"
     }
   ],
   "dependencies" : [

src/test/resources/tst_manifests/gradle-groovy/deps_with_duplicate_different_versions/expected_stack_sbom.json

@@ -21,7 +21,7 @@
       "name" : "log4j",
       "version" : "1.2.17",
       "scope":"required",
-      "purl" : "pkg:maven/log4j/log4j@1.2.17?scope=compile"
+      "purl" : "pkg:maven/log4j/log4j@1.2.17"
     }
   ],
   "dependencies" : [

src/test/resources/tst_manifests/gradle-groovy/deps_with_duplicate_no_version/expected_component_sbom.json

@@ -21,7 +21,7 @@
       "name" : "log4j",
       "version" : "1.2.17",
       "scope":"required",
-      "purl" : "pkg:maven/log4j/log4j@1.2.17?scope=compile"
+      "purl" : "pkg:maven/log4j/log4j@1.2.17"
     }
   ],
   "dependencies" : [

src/test/resources/tst_manifests/gradle-groovy/deps_with_duplicate_no_version/expected_stack_sbom.json

@@ -21,7 +21,7 @@
       "name" : "log4j",
       "version" : "1.2.17",
       "scope":"required",
-      "purl" : "pkg:maven/log4j/log4j@1.2.17?scope=compile"
+      "purl" : "pkg:maven/log4j/log4j@1.2.17"
     }
   ],
   "dependencies" : [

src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_full_specification/expected_component_sbom.json

@@ -20,7 +20,7 @@
       "name" : "quarkus-hibernate-orm",
       "version" : "2.13.5.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final"
     },
     {
       "type" : "library",
@@ -29,7 +29,7 @@
       "name" : "quarkus-agroal",
       "version" : "2.13.5.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-agroal@2.13.5.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-agroal@2.13.5.Final"
     },
     {
       "type" : "library",
@@ -38,7 +38,7 @@
       "name" : "quarkus-resteasy",
       "version" : "2.13.7.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-resteasy@2.13.7.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-resteasy@2.13.7.Final"
     },
     {
       "type" : "library",
@@ -47,7 +47,7 @@
       "name" : "quarkus-resteasy-jackson",
       "version" : "2.13.5.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-resteasy-jackson@2.13.5.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-resteasy-jackson@2.13.5.Final"
     },
     {
       "type" : "library",
@@ -56,7 +56,7 @@
       "name" : "quarkus-jdbc-postgresql",
       "version" : "2.13.5.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final"
     },
     {
       "type" : "library",
@@ -65,7 +65,7 @@
       "name" : "quarkus-vertx-http",
       "version" : "2.13.7.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-vertx-http@2.13.7.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-vertx-http@2.13.7.Final"
     },
     {
       "type" : "library",
@@ -74,7 +74,7 @@
       "name" : "quarkus-kubernetes-service-binding",
       "version" : "2.13.5.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-kubernetes-service-binding@2.13.5.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-kubernetes-service-binding@2.13.5.Final"
     },
     {
       "type" : "library",
@@ -83,7 +83,7 @@
       "name" : "quarkus-container-image-docker",
       "version" : "2.13.5.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-container-image-docker@2.13.5.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-container-image-docker@2.13.5.Final"
     },
     {
       "type" : "library",
@@ -92,7 +92,7 @@
       "name" : "jakarta.validation-api",
       "version" : "2.0.2",
       "scope" : "required",
-      "purl" : "pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2?scope=compile"
+      "purl" : "pkg:maven/jakarta.validation/jakarta.validation-api@2.0.2"
     },
     {
       "type" : "library",
@@ -101,7 +101,7 @@
       "name" : "quarkus-resteasy-multipart",
       "version" : "2.13.7.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-resteasy-multipart@2.13.7.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-resteasy-multipart@2.13.7.Final"
     },
     {
       "type" : "library",
@@ -110,7 +110,7 @@
       "name" : "quarkus-hibernate-orm-deployment",
       "version" : "2.0.2.Final",
       "scope" : "required",
-      "purl" : "pkg:maven/io.quarkus/quarkus-hibernate-orm-deployment@2.0.2.Final?scope=compile"
+      "purl" : "pkg:maven/io.quarkus/quarkus-hibernate-orm-deployment@2.0.2.Final"
     }
   ],
   "dependencies" : [