Refactor Plugin Extension to avoid duplicate attributes (#5)

* refactor: replace uploadSbom Builder with extension attributes to remove all the duplicate in plugin extension configuration, i replaced the builder objects with normal extension attributes that we can reuse in all tasks. * refactor: replace uploadVex Builder with extension attributes to remove all the duplicate in plugin extension configuration, i replaced the builder objects with normal extension attributes that we can reuse in all tasks. * refactor: replace GetOutdatedDependencies Builder with extension attributes to remove all the duplicate in plugin extension configuration, i replaced the builder objects with normal extension attributes that we can reuse in all tasks. * fix(integrationTest): remove old builder attribute * refactor: replace GetSuppressedVuln Builder with extension attributes to remove all the duplicate in plugin extension configuration, i replaced the builder objects with normal extension attributes that we can reuse in all tasks. * refactor: replace riskScore Builder with extension attributes to remove all the duplicate in plugin extension configuration, i replaced the builder objects with normal extension attributes that we can reuse in all tasks. * chore(README): update instruction on new plugin configuration * chore(service/DT): rename all id's to projectUUID for more consistency * chore: replace if with when for better readability --------- Co-authored-by: Patrick Mirwald <mirwald@liftric.com>
Liftric · Jul 27, 2023 · b2b28bf · b2b28bf
1 parent 8ab0c7c
commit b2b28bf
Show file tree

Hide file tree

Showing 16 changed files with 261 additions and 280 deletions.
diff --git a/README.md b/README.md
@@ -7,13 +7,14 @@ This plugin internally applies the [CycloneDX Gradle plugin](https://github.com/
 
 The plugin offers several tasks:
 
-- `runDepTrackWorkflow`: Runs `generateSbom`, `uploadSbom`, `generateVex` and `uploadVex` tasks for CI/CD.
+- `runDepTrackWorkflow`: Runs `generateSbom`, `uploadSbom`, `generateVex`, `uploadVex` and `riskScore` tasks for CI/CD.
 - `generateSbom`: Generates the SBOM (Runs "cyclonedxBom" from [cyclonedx-gradle-plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin) under the hood)
 - `uploadSbom`: Uploads SBOM file.
 - `generateVex`: Generates VEX file.
 - `uploadVex`: Uploads VEX file.
 - `getOutdatedDependencies`: Gets outdated dependencies.
 - `getSuppressedVuln`: Gets suppressed vulnerabilities.
+- `riskScore`: Gets risk score. If the risk score is higher than the specified value, the task will fail.
 
 ### Task Configuration
 
@@ -24,7 +25,13 @@ Each task requires certain inputs which are to be specified in your `build.gradl
 - `url`: Dependency Track API URL
 - `apiKey`: Dependency Track API KEY
 - `inputFile`: *Optional* - Default: build/reports/bom.json
-- `uploadSbom`: [Dependency Track BOM Upload Api Reference](https://yoursky.blue/documentation-api/dependencytrack.html#tag/bom/operation/UploadBom)
+- `autoCreate`: *Optional* - Default: false
+- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion
+- `parentUUID`: *Optional* - Used for creating in a parent project 
+- `parentName`: *Optional* - Used for creating in a parent project 
+- `parentVersion`: *Optional* - Used for creating in a parent project
 
 #### generateVex
 
@@ -38,32 +45,36 @@ Each task requires certain inputs which are to be specified in your `build.gradl
 - `url`: Dependency Track API URL
 - `apiKey`: Dependency Track API KEY
 - `outputFile`: *Optional* (Default "build/reports/vex.json")
-- `uploadVex`: [Dependency Track VEX Upload API Reference](https://yoursky.blue/documentation-api/dependencytrack.html#tag/vex/operation/uploadVex)
+- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion
 
 #### riskScore
 
 - `url`: Dependency Track API URL
 - `apiKey`: Dependency Track API KEY
-- `riskScore`: *Optional* - [Dependency Track Project Lookup API Reference](https://yoursky.blue/documentation-api/dependencytrack.html#tag/project/operation/getProjectByNameAndVersion)
+- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion
+- `riskScore`: *Optional* - Used for failing the task if the risk score is higher than the specified value.
    - `timeout`: *Optional* - If specified, the task will wait for the risk score to be calculated. Default: 0 seconds
    - `maxRiskScore`: *Optional* - If specified, the task will fail if the risk score is higher than the specified value.
 
-#### runDepTrackWorkflow
-
-- This task requires configuration for `uploadSbom`, `generateVex`, and `uploadVex`.
-- Runs `uploadSbom`, `generateVex`, `uploadVex` and `riskScore` tasks for CI/CD.
-
 #### getOutdatedDependencies
 
 - `url`: Dependency Track API URL
 - `apiKey`: Dependency Track API KEY
-- `getOutdatedDependencies`: [Dependency Track Project Lookup API Reference](https://yoursky.blue/documentation-api/dependencytrack.html#tag/project/operation/getProjectByNameAndVersion)
+- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion
 
 #### getSuppressedVuln
 
 - `url`: Dependency Track API URL
 - `apiKey`: Dependency Track API KEY
-- `getSuppressedVuln`: [Dependency Track Project Lookup API Reference](https://yoursky.blue/documentation-api/dependencytrack.html#tag/project/operation/getProjectByNameAndVersion)
+- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion
+- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion
 
 ## Example Configuration
 
@@ -78,27 +89,11 @@ val name: String by project
 dependencyTrackCompanion {
     url.set("https://api.dtrack.example.com")
     apiKey.set(System.getenv("DT_API_KEY"))
-    uploadSBOM {
-        autoCreate.set(true)
-        projectName.set(name)
-        projectVersion.set(version)
-        parentName.set(name)
-    }
-    uploadVex {
-        projectName.set(name)
-        projectVersion.set(version)
-    }
-    getOutdatedDependencies {
-        projectName.set(name)
-        projectVersion.set(version)
-    }
-    getSuppressedVuln {
-        projectName.set(name)
-        projectVersion.set(version)
-    }
+    autoCreate.set(true)
+    projectName.set(name)
+    projectVersion.set(version)
+    parentName.set(name)
     riskScore{
-        projectName.set(name)
-        projectVersion.set(version)
         timeout.set(20.seconds)
         maxRiskScore.set(7.0)
     }

diff --git a/src/integrationTest/kotlin/com/liftric/dtcp/RunDepTrackWorkflowTest.kt b/src/integrationTest/kotlin/com/liftric/dtcp/RunDepTrackWorkflowTest.kt
@@ -64,22 +64,8 @@ version = "$version"
 dependencyTrackCompanion {
     url.set("$dependencyTrackApiEndpoint")
     apiKey.set("$dependencyTrackAccessKey")
-    uploadSBOM {
-        projectName.set("$projectName")
-        projectVersion.set("$version")
-    }
-    uploadVex {
-        projectName.set("$projectName")
-        projectVersion.set("$version")
-    }
-    getOutdatedDependencies {
-        projectName.set("$projectName")
-        projectVersion.set("$version")
-    }
-    getSuppressedVuln {
-        projectName.set("$projectName")
-        projectVersion.set("$version")
-    }
+    projectName.set("$projectName")
+    projectVersion.set("$version")
     vexComponent {
         purl.set("${vexComponent.purl}")
         vulnerability {

diff --git a/src/main/kotlin/com/liftric/dtcp/DepTrackCompanionPlugin.kt b/src/main/kotlin/com/liftric/dtcp/DepTrackCompanionPlugin.kt
@@ -20,6 +20,7 @@ class DepTrackCompanionPlugin : Plugin<Project> {
         extension.outputFile.convention(
             project.layout.buildDirectory.file("reports/vex.json")
         )
+        extension.autoCreate.convention(false)
 
         val generateSbom = project.tasks.register("generateSbom") { task ->
             task.group = taskGroup
@@ -33,7 +34,13 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.url.set(extension.url)
             task.apiKey.set(extension.apiKey)
             task.inputFile.set(extension.inputFile)
-            task.uploadSBOM.set(extension.uploadSBOMData)
+            task.autoCreate.set(extension.autoCreate)
+            task.projectUUID.set(extension.projectUUID)
+            task.projectName.set(extension.projectName)
+            task.projectVersion.set(extension.projectVersion)
+            task.parentUUID.set(extension.parentUUID)
+            task.parentName.set(extension.parentName)
+            task.parentVersion.set(extension.parentVersion)
             task.dependsOn(generateSbom)
         }
 
@@ -54,7 +61,9 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.outputFile.set(extension.outputFile)
             task.apiKey.set(extension.apiKey)
             task.url.set(extension.url)
-            task.uploadVex.set(extension.uploadVexData)
+            task.projectUUID.set(extension.projectUUID)
+            task.projectName.set(extension.projectName)
+            task.projectVersion.set(extension.projectVersion)
             task.mustRunAfter(generateVex)
             task.dependsOn(generateVex)
         }
@@ -64,6 +73,9 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.description = "Get Risk Score"
             task.apiKey.set(extension.apiKey)
             task.url.set(extension.url)
+            task.projectUUID.set(extension.projectUUID)
+            task.projectName.set(extension.projectName)
+            task.projectVersion.set(extension.projectVersion)
             task.riskScore.set(extension.riskScoreData)
             task.mustRunAfter(uploadVex)
         }
@@ -80,15 +92,19 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.description = "Gets outdated dependencies"
             task.apiKey.set(extension.apiKey)
             task.url.set(extension.url)
-            task.getOutdatedDependencies.set(extension.getOutdatedDependenciesData)
+            task.projectUUID.set(extension.projectUUID)
+            task.projectName.set(extension.projectName)
+            task.projectVersion.set(extension.projectVersion)
         }
 
         project.tasks.register("getSuppressedVuln", GetSuppressedVulnTask::class.java) { task ->
             task.group = taskGroup
             task.description = "Gets suppressed vulnerabilities"
             task.apiKey.set(extension.apiKey)
             task.url.set(extension.url)
-            task.getSuppressedVuln.set(extension.getSuppressedVulnData)
+            task.projectUUID.set(extension.projectUUID)
+            task.projectName.set(extension.projectName)
+            task.projectVersion.set(extension.projectVersion)
         }
     }
 }

diff --git a/src/main/kotlin/com/liftric/dtcp/extensions/DepTrackCompanionExtension.kt b/src/main/kotlin/com/liftric/dtcp/extensions/DepTrackCompanionExtension.kt
@@ -12,12 +12,15 @@ abstract class DepTrackCompanionExtension(val project: Project) {
     abstract val inputFile: RegularFileProperty
     abstract val outputFile: RegularFileProperty
 
-    abstract val uploadSBOMData: Property<UploadSBOMBuilder>
+    abstract val autoCreate: Property<Boolean>
+    abstract val projectUUID: Property<String>
+    abstract val projectName: Property<String>
+    abstract val projectVersion: Property<String>
+    abstract val parentUUID: Property<String>
+    abstract val parentName: Property<String>
+    abstract val parentVersion: Property<String>
 
-    abstract val uploadVexData: Property<UploadVexBuilder>
     abstract val riskScoreData: Property<RiskScoreBuilder>
-    abstract val getOutdatedDependenciesData: Property<GetOutdatedDependenciesBuilder>
-    abstract val getSuppressedVulnData: Property<GetSuppressedVulnBuilder>
 
     abstract val vexComponentList: ListProperty<VexComponentBuilder>
     abstract val vexVulnerabilityList: ListProperty<VexVulnerabilityBuilder>
@@ -31,22 +34,6 @@ fun DepTrackCompanionExtension.vexVulnerability(action: VexVulnerabilityBuilder.
     vexVulnerabilityList.add(VexVulnerabilityBuilder(project).apply(action))
 }
 
-fun DepTrackCompanionExtension.uploadSBOM(action: UploadSBOMBuilder.() -> Unit) {
-    uploadSBOMData.set(UploadSBOMBuilder(project).apply(action))
-}
-
-fun DepTrackCompanionExtension.uploadVex(action: UploadVexBuilder.() -> Unit) {
-    uploadVexData.set(UploadVexBuilder(project).apply(action))
-}
-
 fun DepTrackCompanionExtension.riskScore(action: RiskScoreBuilder.() -> Unit) {
     riskScoreData.set(RiskScoreBuilder(project).apply(action))
 }
-
-fun DepTrackCompanionExtension.getOutdatedDependencies(action: GetOutdatedDependenciesBuilder.() -> Unit) {
-    getOutdatedDependenciesData.set(GetOutdatedDependenciesBuilder(project).apply(action))
-}
-
-fun DepTrackCompanionExtension.getSuppressedVuln(action: GetSuppressedVulnBuilder.() -> Unit) {
-    getSuppressedVulnData.set(GetSuppressedVulnBuilder(project).apply(action))
-}
diff --git a/src/main/kotlin/com/liftric/dtcp/extensions/GetOutdatedDependencies.kt b/src/main/kotlin/com/liftric/dtcp/extensions/GetOutdatedDependencies.kt
diff --git a/src/main/kotlin/com/liftric/dtcp/extensions/GetSuppressedVuln.kt b/src/main/kotlin/com/liftric/dtcp/extensions/GetSuppressedVuln.kt
diff --git a/src/main/kotlin/com/liftric/dtcp/extensions/RiskScore.kt b/src/main/kotlin/com/liftric/dtcp/extensions/RiskScore.kt
@@ -9,23 +9,13 @@ import kotlin.time.Duration
 import kotlin.time.ExperimentalTime
 
 data class RiskScore @OptIn(ExperimentalTime::class) constructor(
-    val projectName: String,
-    val projectVersion: String,
     val maxRiskScore: Double?,
     val timeout: Duration?,
 )
 
 @Suppress("MemberVisibilityCanBePrivate")
 @ConfigDsl
 class RiskScoreBuilder(@get:Internal val proj: Project) {
-    @get:Input
-    @get:Optional
-    val projectName: Property<String> = proj.objects.property(String::class.java)
-
-    @get:Input
-    @get:Optional
-    val projectVersion: Property<String> = proj.objects.property(String::class.java)
-
     @get:Input
     @get:Optional
     val maxRiskScore: Property<Double> = proj.objects.property(Double::class.java)
@@ -37,8 +27,6 @@ class RiskScoreBuilder(@get:Internal val proj: Project) {
 
     @OptIn(ExperimentalTime::class)
     fun build(): RiskScore = RiskScore(
-        projectName = this.projectName.get(),
-        projectVersion = this.projectVersion.get(),
         maxRiskScore = this.maxRiskScore.orNull,
         timeout = this.timeout.orNull,
     )

diff --git a/src/main/kotlin/com/liftric/dtcp/extensions/UploadSBOM.kt b/src/main/kotlin/com/liftric/dtcp/extensions/UploadSBOM.kt