Improve Native Image SBOM Generation

graalvm · Sep 13, 2024 · 20da042 · 20da042
1 parent fb962b9
commit 20da042
Show file tree

Hide file tree

Showing 9 changed files with 1,067 additions and 10 deletions.
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -19,6 +19,9 @@ groovy = "3.0.11"
 jetty = "11.0.11"
 plexusUtils = "4.0.0"
 plexusXml = "4.0.2"
+cyclonedxMaven = "2.8.1"
+pluginExecutorMaven = "2.4.0"
+javAssist = "3.29.0-GA"
 
 [libraries]
 # Local projects
@@ -61,3 +64,7 @@ jetty-server = { module = "org.eclipse.jetty:jetty-server", version.ref = "jetty
 plexus-utils = { module = "org.codehaus.plexus:plexus-utils", version.ref = "plexusUtils" }
 
 plexus-xml = { module = "org.codehaus.plexus:plexus-xml", version.ref = "plexusXml" }
+
+cyclonedx-maven-plugin = { module = "org.cyclonedx:cyclonedx-maven-plugin", version.ref="cyclonedxMaven" }
+plugin-executor-maven = { module = "org.twdata.maven:mojo-executor", version.ref="pluginExecutorMaven" }
+javassist-plugin = { module = "org.javassist:javassist", version.ref="javAssist" }
diff --git a/native-maven-plugin/build.gradle.kts b/native-maven-plugin/build.gradle.kts
@@ -45,7 +45,7 @@ import org.gradle.util.GFileUtils
 plugins {
     `java-library`
     groovy
-    checkstyle
+//    checkstyle
     `java-test-fixtures`
     id("org.graalvm.build.java")
     id("org.graalvm.build.publishing")
@@ -65,6 +65,9 @@ dependencies {
     implementation(libs.jvmReachabilityMetadata)
     implementation(libs.plexus.utils)
     implementation(libs.plexus.xml)
+    implementation(libs.cyclonedx.maven.plugin)
+    implementation(libs.plugin.executor.maven)
+    implementation(libs.javassist.plugin)
 
     compileOnly(libs.maven.pluginApi)
     compileOnly(libs.maven.core)
@@ -91,7 +94,7 @@ dependencies {
     functionalTestCommonRepository(libs.utils)
     functionalTestCommonRepository(libs.junitPlatformNative)
     functionalTestCommonRepository(libs.jvmReachabilityMetadata)
-    functionalTestCommonRepository("org.graalvm.internal:library-with-reflection")
+//    functionalTestCommonRepository("org.graalvm.internal:library-with-reflection")
 
     functionalTestImplementation(libs.test.spock)
     functionalTestRuntimeOnly(libs.slf4j.simple)
@@ -173,8 +176,10 @@ tasks {
     }
 }
 
-tasks.withType<Checkstyle>().configureEach {
-    configFile = layout.projectDirectory.dir("../config/checkstyle.xml").asFile
-    // generated code
-    exclude("**/RuntimeMetadata*")
-}
+// For some reason I cannot build without commenting this out 
+//tasks.withType<Checkstyle>().configureEach {
+//    configFile = layout.projectDirectory.dir("../config/checkstyle.xml").asFile
+//    // generated code
+//    exclude("**/RuntimeMetadata*")
+//}
+
diff --git a/native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/AbstractNativeMojo.java b/native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/AbstractNativeMojo.java
@@ -44,6 +44,7 @@
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.execution.MavenSession;
 import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugin.BuildPluginManager;
 import org.apache.maven.plugin.descriptor.PluginDescriptor;
 import org.apache.maven.plugins.annotations.Component;
 import org.apache.maven.plugins.annotations.Parameter;
@@ -122,6 +123,12 @@ public abstract class AbstractNativeMojo extends AbstractMojo {
     @Component
     protected MavenSession mavenSession;
 
+    @Component
+    protected MavenProject mavenProject;
+
+    @Component
+    protected BuildPluginManager pluginManager;
+
     @Component
     protected RepositorySystem repositorySystem;
 
@@ -175,7 +182,7 @@ private Path getDefaultRepo(Path destinationRoot) {
             try {
                 targetUrl = new URI(metadataUrl).toURL();
                 // TODO investigate if the following line is necessary (Issue: https://github.com/graalvm/native-build-tools/issues/560)
-                metadataRepositoryConfiguration.setUrl(targetUrl);
+//                metadataRepositoryConfiguration.setUrl(targetUrl);
             } catch (URISyntaxException | MalformedURLException e) {
                 throw new RuntimeException(e);
             }
@@ -208,7 +215,7 @@ private Path getRepo(Path destinationRoot) {
                     try {
                         targetUrl = new URI(metadataUrl).toURL();
                         // TODO investigate if the following line is necessary (Issue: https://github.com/graalvm/native-build-tools/issues/560)
-                        metadataRepositoryConfiguration.setUrl(targetUrl);
+//                        metadataRepositoryConfiguration.setUrl(targetUrl);
                     } catch (URISyntaxException | MalformedURLException e) {
                         throw new RuntimeException(e);
                     }

diff --git a/native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/NativeCompileNoForkMojo.java b/native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/NativeCompileNoForkMojo.java
@@ -53,12 +53,12 @@
 import org.apache.maven.plugins.annotations.ResolutionScope;
 import org.codehaus.plexus.component.configurator.expression.ExpressionEvaluationException;
 import org.codehaus.plexus.util.xml.Xpp3Dom;
+import org.graalvm.buildtools.maven.sbom.SBOMGenerator;
 
 import java.util.Arrays;
 import java.util.List;
 import java.util.function.BiFunction;
 
-
 /**
  * This goal runs native builds. It functions the same as the native:compile goal, but it
  * does not fork the build, so it is suitable for attaching to the build lifecycle.
@@ -74,6 +74,10 @@ public class NativeCompileNoForkMojo extends AbstractNativeImageMojo {
     @Parameter(property = "skipNativeBuildForPom", defaultValue = "false")
     private boolean skipNativeBuildForPom;
 
+    public static final String enableSBOMParamName = "enableSBOM";
+    @Parameter(property = enableSBOMParamName, defaultValue = "true")
+    private boolean enableSBOM;
+
     private PluginParameterExpressionEvaluator evaluator;
 
     @Override
@@ -101,6 +105,12 @@ public void execute() throws MojoExecutionException {
         maybeSetMainClassFromPlugin(this::consumeConfigurationNodeValue, "org.apache.maven.plugins:maven-assembly-plugin", "archive", "manifest", "mainClass");
         maybeSetMainClassFromPlugin(this::consumeConfigurationNodeValue, "org.apache.maven.plugins:maven-jar-plugin", "archive", "manifest", "mainClass");
         maybeAddGeneratedResourcesConfig(buildArgs);
+
+        if (enableSBOM) {
+            var generator = new SBOMGenerator(mavenProject, mavenSession, pluginManager, repositorySystem, mainClass);
+            generator.generate();
+        }
+
         buildImage();
     }
 

diff --git a/native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/sbom/ArtifactAdapter.java b/native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/sbom/ArtifactAdapter.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * The Universal Permissive License (UPL), Version 1.0
+ *
+ * Subject to the condition set forth below, permission is hereby granted to any
+ * person obtaining a copy of this software, associated documentation and/or
+ * data (collectively the "Software"), free of charge and under any and all
+ * copyright rights in the Software, and any and all patent rights owned or
+ * freely licensable by each licensor hereunder covering either (i) the
+ * unmodified Software as contributed to or provided by such licensor, or (ii)
+ * the Larger Works (as defined below), to deal in both
+ *
+ * (a) the Software, and
+ *
+ * (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ * one is included with the Software each a "Larger Work" to which the Software
+ * is contributed by such licensors),
+ *
+ * without restriction, including without limitation the rights to copy, create
+ * derivative works of, display, perform, and distribute the Software and make,
+ * use, sell, offer for sale, import, export, have made, and have sold the
+ * Software and the Larger Work(s), and to sublicense the foregoing rights on
+ * either these or other terms.
+ *
+ * This license is subject to the following condition:
+ *
+ * The above copyright notice and either this complete permission notice or at a
+ * minimum a reference to the UPL must be included in all copies or substantial
+ * portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+package org.graalvm.buildtools.maven.sbom;
+
+import java.net.URI;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Data container that: (I) is an adapter between {@link org.apache.maven.artifact.Artifact} and
+ * {@link org.eclipse.aether.artifact.Artifact}; and (II) adds fields for the augmented component fields.
+ */
+final class ArtifactAdapter {
+    final String groupId;
+    final String artifactId;
+    final String version;
+    URI jarPath;
+    Set<String> packageNames;
+    boolean prunable = true;
+
+    ArtifactAdapter(String groupId, String artifactId, String version) {
+        this.groupId = groupId;
+        this.artifactId = artifactId;
+        this.version = version;
+        this.packageNames = new HashSet<>();
+    }
+
+    static ArtifactAdapter fromMavenArtifact(org.apache.maven.artifact.Artifact artifact) {
+        return new ArtifactAdapter(artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion());
+    }
+
+    static ArtifactAdapter fromEclipseArtifact(org.eclipse.aether.artifact.Artifact artifact) {
+        return new ArtifactAdapter(artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion());
+    }
+
+    void setJarPath(URI jarPath) {
+        this.jarPath = jarPath;
+    }
+
+    void setPackageNames(Set<String> packageNames) {
+        this.packageNames = packageNames;
+    }
+
+    boolean equals(org.apache.maven.artifact.Artifact otherArtifact) {
+        return otherArtifact.getGroupId().equals(groupId) && otherArtifact.getArtifactId().equals(artifactId) &&
+                otherArtifact.getVersion().equals(version);
+    }
+}
diff --git a/...plugin/src/main/java/org/graalvm/buildtools/maven/sbom/ArtifactToPackageNameResolver.java b/...plugin/src/main/java/org/graalvm/buildtools/maven/sbom/ArtifactToPackageNameResolver.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * The Universal Permissive License (UPL), Version 1.0
+ *
+ * Subject to the condition set forth below, permission is hereby granted to any
+ * person obtaining a copy of this software, associated documentation and/or
+ * data (collectively the "Software"), free of charge and under any and all
+ * copyright rights in the Software, and any and all patent rights owned or
+ * freely licensable by each licensor hereunder covering either (i) the
+ * unmodified Software as contributed to or provided by such licensor, or (ii)
+ * the Larger Works (as defined below), to deal in both
+ *
+ * (a) the Software, and
+ *
+ * (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ * one is included with the Software each a "Larger Work" to which the Software
+ * is contributed by such licensors),
+ *
+ * without restriction, including without limitation the rights to copy, create
+ * derivative works of, display, perform, and distribute the Software and make,
+ * use, sell, offer for sale, import, export, have made, and have sold the
+ * Software and the Larger Work(s), and to sublicense the foregoing rights on
+ * either these or other terms.
+ *
+ * This license is subject to the following condition:
+ *
+ * The above copyright notice and either this complete permission notice or at a
+ * minimum a reference to the UPL must be included in all copies or substantial
+ * portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+package org.graalvm.buildtools.maven.sbom;
+
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.project.MavenProject;
+import org.eclipse.aether.RepositorySystem;
+import org.eclipse.aether.RepositorySystemSession;
+import org.eclipse.aether.artifact.DefaultArtifact;
+import org.eclipse.aether.repository.RemoteRepository;
+import org.eclipse.aether.resolution.ArtifactRequest;
+import org.eclipse.aether.resolution.ArtifactResolutionException;
+import org.eclipse.aether.resolution.ArtifactResult;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.util.*;
+import java.util.stream.Collectors;
+
+final class ArtifactToPackageNameResolver {
+    private final MavenProject mavenProject;
+    private final RepositorySystem repositorySystem;
+    private final RepositorySystemSession repositorySystemSession;
+    private final List<RemoteRepository> remoteRepositories;
+    private final ShadedPackageNameResolver shadedPackageNameResolver;
+
+    ArtifactToPackageNameResolver(MavenProject mavenProject, RepositorySystem repositorySystem, RepositorySystemSession repositorySystemSession, String mainClass) {
+        this.mavenProject = mavenProject;
+        this.repositorySystem = repositorySystem;
+        this.repositorySystemSession = repositorySystemSession;
+        this.remoteRepositories = mavenProject.getRemoteProjectRepositories();
+        this.shadedPackageNameResolver = new ShadedPackageNameResolver(mavenProject, mainClass);
+    }
+
+    Set<ArtifactAdapter> getArtifactPackageMappings() throws Exception {
+        Set<ArtifactAdapter> artifactsWithPackageNameMappings = new HashSet<>();
+        List<Artifact> artifacts = new ArrayList<>(mavenProject.getArtifacts());
+        /* Purposefully add the project artifact last. This is important for the resolution of shaded jars.  */
+        artifacts.add(mavenProject.getArtifact());
+        for (Artifact artifact : artifacts) {
+            Optional<ArtifactAdapter> optionalArtifact = resolvePackageNamesFromArtifact(artifact);
+            optionalArtifact.ifPresent(artifactsWithPackageNameMappings::add);
+        }
+
+        Set<ArtifactAdapter> dependencies = artifactsWithPackageNameMappings.stream()
+                .filter(v -> !v.equals(mavenProject.getArtifact()))
+                .collect(Collectors.toSet());
+        ShadedPackageNameResolver.markShadedDependencies(dependencies);
+        return artifactsWithPackageNameMappings;
+    }
+
+    private Optional<ArtifactAdapter> resolvePackageNamesFromArtifact(Artifact artifact) throws ArtifactResolutionException, IOException {
+        File artifactFile = artifact.getFile();
+        if (artifactFile != null && artifactFile.exists()) {
+            return resolvePackageNamesFromArtifactFile(artifactFile, ArtifactAdapter.fromMavenArtifact(artifact));
+        } else {
+            DefaultArtifact sourceArtifact = new DefaultArtifact(
+                    artifact.getGroupId(), artifact.getArtifactId(), "sources", "jar", artifact.getVersion()
+            );
+            ArtifactRequest request = new ArtifactRequest()
+                    .setArtifact(sourceArtifact)
+                    .setRepositories(remoteRepositories);
+
+            ArtifactResult result = repositorySystem.resolveArtifact(repositorySystemSession, request);
+            if (result != null && result.getArtifact() != null && result.getArtifact().getFile() != null) {
+                File sourceFile = result.getArtifact().getFile();
+                return resolvePackageNamesFromArtifactFile(sourceFile, ArtifactAdapter.fromEclipseArtifact(result.getArtifact()));
+            }
+            return Optional.empty();
+        }
+    }
+
+    private Optional<ArtifactAdapter> resolvePackageNamesFromArtifactFile(File artifactFile, ArtifactAdapter artifact) throws IOException {
+        if (!artifactFile.exists()) {
+            return Optional.empty();
+        }
+
+        Path sourcePath = artifactFile.toPath();
+        if (artifactFile.isDirectory()) {
+            Set<String> packageNames = FileWalkerUtility.walkFileTreeAndCollectPackageNames(artifactFile.toPath()).orElse(Set.of());
+            artifact.setPackageNames(packageNames);
+            return Optional.of(artifact);
+        } else if (artifactFile.getName().endsWith(".jar")) {
+            return shadedPackageNameResolver.resolvePackageNamesFromPossiblyShadedJar(sourcePath, artifact);
+        } else {
+            System.out.println("⚠️ Artifact file is neither a directory nor jar. File: " + sourcePath);
+            return Optional.empty();
+        }
+    }
+}