Merge branch 'main' into snyk-upgrade-2f057c52ed35d1723fc72536565316d3

Author: soul2zimate

.github/workflows/integration.yml

@@ -0,0 +1,20 @@
+---
+name: Integration
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  call-shared:
+    uses: trustification/exhort-integration-tests/.github/workflows/integration.yml@main
+    with:
+      language: java
+      repo-url: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+      commit-sha: ${{ github.event.pull_request.head.sha || github.sha }}

.github/workflows/pr.yml

@@ -14,11 +14,11 @@ jobs:
       checks: write
       pull-requests: write
     env:
-      MAIN_JAVA_VER: 11
+      MAIN_JAVA_VER: 17
       RUN_PYTHON_BIN: ${{ vars.RUN_PYTHON_BIN }}
     strategy:
       matrix:
-        java: [11, 17, 21]
+        java: [17, 21]
     steps:
     - name: Checkout sources
       uses: actions/checkout@v3

.github/workflows/release.yml

@@ -31,11 +31,11 @@ jobs:
           fetch-depth: 0
 
 
-      - name: Setup Java 11
-        uses: actions/setup-java@v3
+      - name: Setup Java 17
+        uses: actions/setup-java@v4
         with:
           distribution: temurin
-          java-version: 11
+          java-version: 17
           cache: maven
 
       - name: create ssh agent

.github/workflows/stage.yml

@@ -25,11 +25,11 @@ jobs:
       - name: Checkout sources
         uses: actions/checkout@v3
 
-      - name: Setup Java 11
-        uses: actions/setup-java@v3
+      - name: Setup Java 17
+        uses: actions/setup-java@v4
         with:
           distribution: temurin
-          java-version: 11
+          java-version: 17
           cache: maven
 
       - name: Get pom specs

.gitignore

@@ -22,6 +22,7 @@
 # Maven
 target
 .flattened-pom.xml
+dependency-reduced-pom.xml
 
 # Gradle
 .gradle
@@ -40,8 +41,12 @@ target
 # Node
 node_modules
 
+# Python virtual envs
+.venv
+
 # project stuff
 http_requests
 json_responses
 **/.DS_Store
 .idea/
+

README.md

@@ -503,6 +503,73 @@ By Default, The API algorithm will use native commands of PIP installer as data
 It's also possible, to use lightweight Python PIP utility [pipdeptree](https://pypi.org/project/pipdeptree/) as data source instead, in order to activate this,
 Need to set environment variable/system property - `EXHORT_PIP_USE_DEP_TREE` to true.
 
+### CLI Support
+
+The Exhort Java API includes a command-line interface for standalone usage.
+
+#### Building the CLI
+
+To build the CLI JAR with all dependencies included:
+
+```shell
+mvn clean package
+```
+
+This creates two JAR files in the `target/` directory:
+- `exhort-java-api.jar` - Library JAR (for programmatic use)
+- `exhort-java-api-cli.jar` - CLI JAR (includes all dependencies)
+
+#### Usage
+
+```shell
+java -jar target/exhort-java-api-cli.jar <COMMAND> <FILE_PATH> [OPTIONS]
+```
+
+#### Commands
+
+**Stack Analysis**
+```shell
+java -jar exhort-java-api-cli.jar stack <file_path> [--summary|--html]
+```
+Perform stack analysis on the specified manifest file.
+
+Options:
+- `--summary` - Output summary in JSON format
+- `--html` - Output full report in HTML format
+- (default) - Output full report in JSON format
+
+**Component Analysis**
+```shell
+java -jar exhort-java-api-cli.jar component <file_path> [--summary]
+```
+Perform component analysis on the specified manifest file.
+
+Options:
+- `--summary` - Output summary in JSON format
+- (default) - Output full report in JSON format
+
+#### Examples
+
+```shell
+# Stack analysis with JSON output (default)
+java -jar exhort-java-api-cli.jar stack /path/to/pom.xml
+
+# Stack analysis with summary
+java -jar exhort-java-api-cli.jar stack /path/to/package.json --summary
+
+# Stack analysis with HTML output
+java -jar exhort-java-api-cli.jar stack /path/to/build.gradle --html
+
+# Component analysis with JSON output (default)
+java -jar exhort-java-api-cli.jar component /path/to/requirements.txt
+
+# Component analysis with summary
+java -jar exhort-java-api-cli.jar component /path/to/go.mod --summary
+
+# Show help
+java -jar exhort-java-api-cli.jar --help
+```
+
 ### Image Support 
 
 Generate vulnerability analysis report for container images.

pom.xml

@@ -16,7 +16,7 @@
     <code.coverage.threshold>81%</code.coverage.threshold>
     <mutation.coverage.threshold>50</mutation.coverage.threshold>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <maven.compiler.release>11</maven.compiler.release>
+    <maven.compiler.release>17</maven.compiler.release>
     <!-- Dependencies -->
     <exhort-api.version>1.0.6</exhort-api.version>
     <jackson.version>2.15.0</jackson.version>
@@ -30,7 +30,7 @@
     <mockito.version>5.17.0</mockito.version>
     <!-- Plugins -->
     <maven-clean-plugin.version>3.2.0</maven-clean-plugin.version>
-    <maven-compiler-plugin.version>3.11.0</maven-compiler-plugin.version>
+    <maven-compiler-plugin.version>3.12.1</maven-compiler-plugin.version>
     <maven-dependency-plugin.version>3.6.0</maven-dependency-plugin.version>
     <maven-deploy-plugin.version>3.1.1</maven-deploy-plugin.version>
     <maven-enforcer-plugin.version>3.3.0</maven-enforcer-plugin.version>
@@ -44,6 +44,7 @@
     <maven-site-plugin.version>4.0.0-M6</maven-site-plugin.version>
     <maven-source-plugin.version>3.2.1</maven-source-plugin.version>
     <maven-surefire-plugin.version>3.5.3</maven-surefire-plugin.version>
+    <maven-shade-plugin.version>3.4.1</maven-shade-plugin.version>
     <build-helper-maven-plugin.version>3.4.0</build-helper-maven-plugin.version>
     <extra-enforcer-rules.version>1.6.2</extra-enforcer-rules.version>
     <flatten-maven-plugin.version>1.4.1</flatten-maven-plugin.version>
@@ -454,6 +455,11 @@ limitations under the License.]]>
           <artifactId>spotless-maven-plugin</artifactId>
           <version>${spotless-maven-plugin.version}</version>
         </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-shade-plugin</artifactId>
+          <version>${maven-shade-plugin.version}</version>
+        </plugin>
       </plugins>
     </pluginManagement>
 
@@ -651,6 +657,87 @@ limitations under the License.]]>
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <artifactId>maven-jar-plugin</artifactId>
+        <configuration>
+          <archive>
+            <manifest>
+              <mainClass>com.redhat.exhort.cli.App</mainClass>
+            </manifest>
+          </archive>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-shade-plugin</artifactId>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>shade</goal>
+            </goals>
+            <configuration>
+              <shadedArtifactAttached>true</shadedArtifactAttached>
+              <shadedClassifierName>cli</shadedClassifierName>
+              
+              <!-- Filters to exclude problematic files -->
+              <filters>
+                <filter>
+                  <artifact>*:*</artifact>
+                  <excludes>
+                    <!-- Exclude module-info.class files to avoid strong encapsulation warnings -->
+                    <exclude>module-info.class</exclude>
+                    <exclude>META-INF/versions/*/module-info.class</exclude>
+                    <!-- Exclude signature files -->
+                    <exclude>META-INF/*.SF</exclude>
+                    <exclude>META-INF/*.DSA</exclude>
+                    <exclude>META-INF/*.RSA</exclude>
+                    <!-- Exclude duplicate MANIFEST.MF files (will be recreated) -->
+                    <exclude>META-INF/MANIFEST.MF</exclude>
+                  </excludes>
+                </filter>
+              </filters>
+              
+              <!-- Transformers to handle overlapping resources -->
+              <transformers>
+                <!-- Main class transformer -->
+                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                  <mainClass>com.redhat.exhort.cli.App</mainClass>
+                </transformer>
+                
+                <!-- Service files transformer for Jackson and other services -->
+                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
+                
+                <!-- Append NOTICE files -->
+                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                  <resource>META-INF/NOTICE</resource>
+                </transformer>
+                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                  <resource>META-INF/NOTICE.txt</resource>
+                </transformer>
+                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                  <resource>META-INF/NOTICE.md</resource>
+                </transformer>
+                
+                <!-- Append LICENSE files -->
+                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                  <resource>META-INF/LICENSE</resource>
+                </transformer>
+                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                  <resource>META-INF/LICENSE.txt</resource>
+                </transformer>
+                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                  <resource>META-INF/LICENSE.md</resource>
+                </transformer>
+
+              </transformers>
+              
+              <!-- Create non-verbose output -->
+              <createDependencyReducedPom>false</createDependencyReducedPom>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>com.diffplug.spotless</groupId>
         <artifactId>spotless-maven-plugin</artifactId>
@@ -813,9 +900,6 @@ limitations under the License.]]>
           <plugin>
             <groupId>de.sormuras.junit</groupId>
             <artifactId>junit-platform-maven-plugin</artifactId>
-            <version>${junit-platform-maven-plugin.version}</version>
-            <configuration>
-            </configuration>
           </plugin>
         </plugins>
       </build>