Merge branch 'main' into dependabot/npm_and_yarn/tar-fs-2.1.2

Author: aegilops

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# Managed and Maintained by:
+
+* @advanced-security/advanced-security-dependency-graph

dist/index.js

@@ -47,13 +47,19 @@ class MavenDependencyGraph {
             const artifact = this.packageUrlToArtifact[depPackage.packageURL.toString()];
             let scope = getDependencyScopeForMavenScope(artifact.scopes);
             manifest.addDirectDependency(depPackage, scope);
-            function addTransitiveDeps(dependencies) {
+            function addTransitiveDeps(dependencies, seen = new Set()) {
                 if (dependencies) {
                     dependencies.forEach(transitiveDep => {
-                        const transitiveDepArtifact = packageUrlToArtifact[transitiveDep.packageURL.toString()];
+                        let purl = transitiveDep.packageURL.toString();
+                        if (seen.has(purl)) {
+                            // we're in a cycle! skip this one.
+                            return;
+                        }
+                        const transitiveDepArtifact = packageUrlToArtifact[purl];
                         const transitiveDepScope = getDependencyScopeForMavenScope(transitiveDepArtifact.scopes);
                         manifest.addIndirectDependency(transitiveDep, transitiveDepScope);
-                        addTransitiveDeps(transitiveDep.dependencies);
+                        seen.add(purl);
+                        addTransitiveDeps(transitiveDep.dependencies, seen);
                     });
                 }
             }
@@ -484,7 +490,7 @@ const depgraph_1 = __nccwpck_require__(8047);
 const maven_runner_1 = __nccwpck_require__(7433);
 const file_utils_1 = __nccwpck_require__(799);
 const packageData = __nccwpck_require__(2876);
-const DEPGRAPH_MAVEN_PLUGIN_VERSION = '4.0.2';
+const DEPGRAPH_MAVEN_PLUGIN_VERSION = '4.0.3';
 function generateSnapshot(directory, mvnConfig, snapshotConfig) {
     return __awaiter(this, void 0, void 0, function* () {
         var _a, _b;
@@ -512,11 +518,11 @@ function generateSnapshot(directory, mvnConfig, snapshotConfig) {
             snapshot.job.correlator = (snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.correlator)
                 ? snapshotConfig.correlator
                 : (_b = snapshot.job) === null || _b === void 0 ? void 0 : _b.correlator;
-            const specifiedRef = getNonEmtptyValue(snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.ref);
+            const specifiedRef = getNonEmptyValue(snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.ref);
             if (specifiedRef) {
                 snapshot.ref = specifiedRef;
             }
-            const specifiedSha = getNonEmtptyValue(snapshot === null || snapshot === void 0 ? void 0 : snapshot.sha);
+            const specifiedSha = getNonEmptyValue(snapshot === null || snapshot === void 0 ? void 0 : snapshot.sha);
             if (specifiedSha) {
                 snapshot.sha = specifiedSha;
             }
@@ -616,7 +622,7 @@ function getRepositoryRelativePath(file) {
     core.debug(`Snapshot relative file =  ${result}`);
     return result;
 }
-function getNonEmtptyValue(str) {
+function getNonEmptyValue(str) {
     if (str) {
         const trimmed = str.trim();
         if (trimmed.length > 0) {
@@ -33295,7 +33301,7 @@ exports.submitSnapshot = L;
 /***/ ((module) => {
 
 "use strict";
-module.exports = JSON.parse('{"name":"maven-dependency-submission-action","version":"4.1.1","description":"Submit Maven dependencies to GitHub dependency submission API","main":"index.js","scripts":{"base-build":"npm ci && tsc","build":"npm run base-build && npm exec -- @vercel/ncc build --source-map lib/src/index.js","build-exe":"npm run build && pkg package.json --compress Gzip","test":"vitest --run"},"repository":{"type":"git","url":"git+https://github.com/advanced-security/maven-dependency-submission-action.git"},"keywords":[],"author":"GitHub, Inc","license":"MIT","bugs":{"url":"https://github.com/advanced-security/maven-dependency-submission-action/issues"},"homepage":"https://github.com/advanced-security/maven-dependency-submission-action","dependencies":{"@actions/core":"^1.10.1","@actions/exec":"^1.1.1","@github/dependency-submission-toolkit":"^2.0.0","commander":"^12.0.0","packageurl-js":"^1.2.0"},"devDependencies":{"@types/chai":"^4.3.1","@vercel/ncc":"^0.38.1","chai":"^4.3.6","@yao-pkg/pkg":"^5.11.5","ts-node":"^10.9.2","typescript":"^5.3.3","vitest":"^1.2.1"},"bin":{"cli":"lib/src/executable/cli.js"},"pkg":{"targets":["node20-linux-x64","node20-win-x64","node20-macos-x64"],"assets":["package.json"],"publicPackages":"*","outputPath":"cli"}}');
+module.exports = JSON.parse('{"name":"maven-dependency-submission-action","version":"4.1.2","description":"Submit Maven dependencies to GitHub dependency submission API","main":"index.js","scripts":{"base-build":"npm ci && tsc","build":"npm run base-build && npm exec -- @vercel/ncc build --source-map lib/src/index.js","build-exe":"npm run build && pkg package.json --compress Gzip","test":"vitest --run"},"repository":{"type":"git","url":"git+https://github.com/advanced-security/maven-dependency-submission-action.git"},"keywords":[],"author":"GitHub, Inc","license":"MIT","bugs":{"url":"https://github.com/advanced-security/maven-dependency-submission-action/issues"},"homepage":"https://github.com/advanced-security/maven-dependency-submission-action","dependencies":{"@actions/core":"^1.10.1","@actions/exec":"^1.1.1","@github/dependency-submission-toolkit":"^2.0.0","commander":"^12.0.0","packageurl-js":"^1.2.0"},"devDependencies":{"@types/chai":"^4.3.1","@vercel/ncc":"^0.38.1","chai":"^4.3.6","@yao-pkg/pkg":"^5.11.5","ts-node":"^10.9.2","typescript":"^5.3.3","vitest":"^1.6.1"},"bin":{"cli":"lib/src/executable/cli.js"},"pkg":{"targets":["node20-linux-x64","node20-win-x64","node20-macos-x64"],"assets":["package.json"],"publicPackages":"*","outputPath":"cli"}}');
 
 /***/ })
 

dist/index.js.map

@@ -116,6 +116,25 @@ describe('depgraph', () => {
       });
     });
 
+    describe('cycle-tree', () => {
+      let depGraph;
+      beforeAll(() => {
+        depGraph = parseDependencyJson(getTestDataFile("cycle-tree"));
+      });
+
+      it('should parse out the top level dependencies', () => {
+        const mavenDependencies = new MavenDependencyGraph(depGraph);
+        expect(mavenDependencies.getPackageCount()).to.equal(3);
+      });
+
+      it('should be able to generate a manifest despite having a cycle', () => {
+        const mavenDependencies = new MavenDependencyGraph(depGraph);
+        const manifest = mavenDependencies.createManifest();
+
+        expect(manifest.name).to.equal('hadoop-main');
+        expect(manifest.countDependencies()).to.equal(2);
+      })
+    });
 
     describe('bs-parent-dep-tree', () => {
 

src/depgraph.test.ts

@@ -85,13 +85,19 @@ export class MavenDependencyGraph {
       let scope = getDependencyScopeForMavenScope(artifact.scopes);
       manifest.addDirectDependency(depPackage, scope);
 
-      function addTransitiveDeps(dependencies) {
+      function addTransitiveDeps(dependencies, seen: Set<string> = new Set()) {
         if (dependencies) {
           dependencies.forEach(transitiveDep => {
-            const transitiveDepArtifact = packageUrlToArtifact[transitiveDep.packageURL.toString()];
+            let purl = transitiveDep.packageURL.toString();
+            if (seen.has(purl)) {
+              // we're in a cycle! skip this one.
+              return;
+            }
+            const transitiveDepArtifact = packageUrlToArtifact[purl];
             const transitiveDepScope = getDependencyScopeForMavenScope(transitiveDepArtifact.scopes);
             manifest.addIndirectDependency(transitiveDep, transitiveDepScope);
-            addTransitiveDeps(transitiveDep.dependencies);
+            seen.add(purl);
+            addTransitiveDeps(transitiveDep.dependencies, seen);
           });
         }
       }

src/depgraph.ts

@@ -7,7 +7,7 @@ import { MavenRunner } from './maven-runner';
 import { loadFileContents } from './utils/file-utils';
 
 const packageData = require('../package.json');
-const DEPGRAPH_MAVEN_PLUGIN_VERSION = '4.0.2';
+const DEPGRAPH_MAVEN_PLUGIN_VERSION = '4.0.3';
 
 export type MavenConfiguration = {
   ignoreMavenWrapper?: boolean;
@@ -58,12 +58,12 @@ export async function generateSnapshot(directory: string, mvnConfig?: MavenConfi
       ? snapshotConfig.correlator
       : snapshot.job?.correlator;
 
-    const specifiedRef = getNonEmtptyValue(snapshotConfig?.ref);
+    const specifiedRef = getNonEmptyValue(snapshotConfig?.ref);
     if (specifiedRef) {
       snapshot.ref = specifiedRef;
     }
 
-    const specifiedSha = getNonEmtptyValue(snapshot?.sha);
+    const specifiedSha = getNonEmptyValue(snapshot?.sha);
     if (specifiedSha) {
       snapshot.sha = specifiedSha;
     }
@@ -173,7 +173,7 @@ function getRepositoryRelativePath(file) {
   return result;
 }
 
-function getNonEmtptyValue(str?: string) {
+function getNonEmptyValue(str?: string) {
   if (str) {
     const trimmed = str.trim();
     if (trimmed.length > 0) {

src/snapshot-generator.ts

@@ -0,0 +1,57 @@
+{
+  "graphName" : "hadoop-main",
+  "artifacts" : [ {
+    "id" : "org.apache.hadoop:hadoop-annotations:jar:compile",
+    "numericId" : 1,
+    "groupId" : "org.apache.hadoop",
+    "artifactId" : "hadoop-annotations",
+    "version" : "3.5.0-SNAPSHOT",
+    "optional" : false,
+    "scopes" : [ "compile" ],
+    "types" : [ "jar" ]
+  }, {
+    "id" : "jdiff:jdiff:jar:provided",
+    "numericId" : 2,
+    "groupId" : "jdiff",
+    "artifactId" : "jdiff",
+    "version" : "1.0.9",
+    "optional" : false,
+    "scopes" : [ "provided" ],
+    "types" : [ "jar" ]
+  }, {
+    "id" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
+    "numericId" : 3,
+    "groupId" : "org.apache.hadoop",
+    "artifactId" : "hadoop-project-dist",
+    "version" : "3.5.0-SNAPSHOT",
+    "optional" : false,
+    "scopes" : [ "compile" ],
+    "types" : [ "pom" ]
+  } ],
+  "dependencies" : [ {
+    "from" : "org.apache.hadoop:hadoop-annotations:jar:compile",
+    "to" : "jdiff:jdiff:jar:provided",
+    "numericFrom" : 1,
+    "numericTo" : 2,
+    "resolution" : "INCLUDED"
+  }, {
+    "from" : "org.apache.hadoop:hadoop-annotations:jar:compile",
+    "to" : "jdiff:jdiff:jar:provided",
+    "numericFrom" : 1,
+    "numericTo" : 3,
+    "resolution" : "INCLUDED"
+  }, {
+    "from" : "jdiff:jdiff:jar:provided",
+    "to" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
+    "numericFrom" : 2,
+    "numericTo" : 3,
+    "resolution" : "INCLUDED"
+  }, {
+    "from" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
+    "to" : "jdiff:jdiff:jar:provided",
+    "numericFrom" : 3,
+    "numericTo" : 2,
+    "resolution" : "INCLUDED"
+  }
+]
+}