Skip to content

Commit

Permalink
Merge pull request #14 from advanced-security/multi-module
Browse files Browse the repository at this point in the history
Multi module support, maven wrapper support, improvements in matching and reporting the source file for the dependencies in the repository and dependency graph
  • Loading branch information
peter-murray authored Feb 22, 2023
2 parents 0b9cd8f + c419f57 commit 72bdd87
Show file tree
Hide file tree
Showing 41 changed files with 4,295 additions and 4,032 deletions.
2 changes: 1 addition & 1 deletion .devcontainer/install_maven.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ echo -x
JDK_VERSION="18.0.2.1"
JDK_INSTALLER="/tmp/openjdk.tar.gz"

MVN_VERSION="3.8.6"
MVN_VERSION="3.9.0"
MVN_INSTALLER="/tmp/mvn.tar.gz"

wget https://download.java.net/java/GA/jdk${JDK_VERSION}/db379da656dc47308e138f21b33976fa/1/GPL/openjdk-${JDK_VERSION}_linux-x64_bin.tar.gz -O ${JDK_INSTALLER}
Expand Down
24 changes: 24 additions & 0 deletions .github/workflows/publish_executables.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Publish Executables

on:
workflow_dispatch:
push:

jobs:
publish:
runs-on: ubuntu-22.04

steps:
- name: Checkout
uses: actions/checkout@v3

- name: Build executables
run: |
npm run base-build
npm run build-exe
- name: Attach artifacts
uses: actions/upload-artifact@v3
with:
name: executables
path: cli/*
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@ lib
node_modules
target

runtime
runtime
cli
18 changes: 0 additions & 18 deletions .vscode/launch.json
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,5 @@
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0",
"configurations": [
<<<<<<< HEAD
{
"type": "node",
"request": "launch",
"name": "Launch Program",
"skipFiles": [
"<node_internals>/**"
],
"program": "${workspaceFolder}/node_modules/.bin/mocha",
"args": [
"-r",
"ts-node/register",
"--colors",
"${workspaceFolder}/src/depgraph.test.ts"
],
}
=======
>>>>>>> 4b5ca60 (Initial commit)
]
}
28 changes: 2 additions & 26 deletions .vscode/settings.json
Original file line number Diff line number Diff line change
@@ -1,26 +1,4 @@
{
<<<<<<< HEAD
"debug.onTaskErrors": "showErrors",
"files.trimTrailingWhitespace": true,
"editor.tabSize": 2,
"editor.insertSpaces": true,
"editor.detectIndentation": false,
"[javascript]": {
"editor.tabSize": 2
},
"[json]": {
"editor.tabSize": 2
},
"[yaml]": {
"editor.tabSize": 2
},
"[html]": {
"editor.tabSize": 2
},
// GitHub Codespace Theme
"workbench.colorTheme": "GitHub Dark Dimmed"
}
=======
"debug.onTaskErrors": "showErrors",
"files.trimTrailingWhitespace": true,
"editor.tabSize": 2,
Expand All @@ -41,8 +19,6 @@
// GitHub Codespace Theme
"workbench.colorTheme": "GitHub Dark Dimmed",
"jest.autoRun": {
"watch": false,
"onSave": "test-file"
"watch": false
}
}
>>>>>>> 4b5ca60 (Initial commit)
}
30 changes: 21 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,46 +2,58 @@

This is a GitHub Action that will generate a complete dependency graph for a Maven project and submit the graph to the GitHub repository so that the graph is complete and includes all the transitive dependencies.

The action will invoke maven using the `com.github.ferstl:depgraph-maven-plugin:4.0.1` plugin to generate JSON output of the complete dependency graph, which is then processed and submitted using the [Dependency Submission Toolkit](https://github.com/github/dependency-submission-toolkit) to the GitHub repository.
The action will invoke maven using the `com.github.ferstl:depgraph-maven-plugin:4.0.2` plugin to generate JSON output of the complete dependency graph, which is then processed and submitted using the [Dependency Submission Toolkit](https://github.com/github/dependency-submission-toolkit) to the GitHub repository.

> **Warning** The dependency submission APIs and toolkit are still currently in beta and as such subject to changes in future releases.

## Usage

As of version `3.0.0` this action now support Maven multi-module projects as well as additional Maven configuration parameters.


### Pre-requisites
For this action to work properly, you must have the Maven available on PATH (`mvn`) and configured to be able to access and pull your dependencies from whatever sources you have defined (i.e. a properly configured settings.xml or all details provided in the POM).
For this action to work properly, you must have the Maven available on PATH (`mvn`) or using a `mvnw` Maven wrapper in your maven project directory. Maven will need to be configured to be able to access and pull your dependencies from whatever sources you have defined (i.e. a properly configured `settings.xml` or all details provided in the POM).

Custom maven `settings.xml` can now be specified as an input parameter to the action.


### Inputs

* `directory` - The directory that contains the `pom.xml` that will be used to generate the dependency graph from. Defaults to the `github.workspace` which is where the source will check out to by default when using `actions/checkout` .

* `token` - The GitHub token that will be used to submit the generated dependency snapshot to the repository. Defaults to the `github.token` from the actions environment.

* `settings-file` - An optional path to a Maven settings.xml file that you want to use to provide additional configuration to Maven.

* `ingore-maven-wrapper` - An optional `true`/`false` flag parameter to ignore the Maven wrapper (if present) in the maven project directory and instead use the version of Maven from the `PATH`. This is set to `false` by default to use the wrapper if one is present.

* `maven-args` - An optional string value (space separated) options to pass to the maven command line when generating the dependency snapshot. This is empty by default.

* `snapshot-include-file-name`: Optional flag to control whether or no the path and file name of the pom.xml is provided with the snapshot submission. Defaults to `true` so as to create a link to the repository file from the dependency tree view, but at the cost of losing the POM `artifactId` when it renders.

* `snapshot-dependency-file-name`: An optional user control file path to the POM file, requires `snapshot-include-file-name` to be `true` for the value to be submitted.


## Examples

Generating and submitting a dependency snapshot using the defaults:

```
- name: Submit Dependency Snapshot
uses: advanced-security/maven-dependency-submission-action@v1
uses: advanced-security/maven-dependency-submission-action@v3
```

Upon success it will generate a snapshot captured from Maven POM like;
![Screenshot 2022-08-15 at 09 33 47](https://user-images.githubusercontent.com/681306/184603264-3cd69fda-75ff-4a46-b014-630acab60fab.png)


## Limitations

Currently the action is limited to single module Maven projects, with a future update that will add support for multi-module based projects.


## Command Line Usage

There are experimental command line clients, Linux only for now that will provide the same functionality as the GitHub Action but can be embedded into your existing CI tooling and invoked from the commandline to upload a dpendency snapshot.
There are experimental command line clients, Linux only for now that will provide the same functionality as the GitHub Action but can be embedded into your existing CI tooling and invoked from the commandline to upload a dependency snapshot.

You can obtain the executables from the [cli](./cli) directory of the repository for now.
You can obtain the executables from the latest actions workflow run https://github.com/advanced-security/maven-dependency-submission-action/actions/workflows/publish_executables.yml.

### Parameters

Expand Down
24 changes: 24 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,30 @@ inputs:
type: string
default: ${{ github.workspace }}

settings-file:
description: Optional path to a Maven settings.xml file for the dependencies to be resolved
type: string

ignore-maven-wrapper:
description: Flag for optionally ignoring any maven wrapper files (mvnw) and instead rely on the PATH provided mvn
type: boolean
default: false

maven-args:
description: Additional maven arguments to add to the command line invocation of maven when it generates the dependency snapshot
type: string
default: ''

snapshot-include-file-name:
description: Optionally include the file name in the dependency snapshot report to GitHub. This is required to be true if you want the results in the dependency tree to have a working link.
type: boolean
default: true

snapshot-dependency-file-name:
description: An optional override to specify the path to the file in the repository that the snapshot should be associated with.
type: string
required: false

token:
description: The GitHub token to use to submit the depedency snapshot to the repository
type: string
Expand Down
Binary file removed cli/maven-dependency-submission-linux-x64
Binary file not shown.
Loading

0 comments on commit 72bdd87

Please sign in to comment.