Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update snapshot tests to integrate new custom-json-diff functionality. #1157

Merged
merged 4 commits into from
Jun 13, 2024
Merged

Update snapshot tests to integrate new custom-json-diff functionality. #1157

merged 4 commits into from
Jun 13, 2024

Conversation

cerrussell
Copy link
Contributor

Changes

  • I have ugraded the functionality in custom-json-diff to better handle bom diffing
  • Handles version issue
  • Produces an HTML report in addition to the JSON
  • Comparison is of defined bom objects which allows for better control for different use cases

Notes on the current configuration of the tests

  • Will pass if the newly generated bom has the same components or dependencies at equal or greater versions. This also means that purl and bom-ref will not be used in the comparison given they will not be the same in such a scenario.
  • Will pass if the snapshot bom has empty fields and the newly generated bom has populated these fields
  • Includes licenses, properties, and evidence in comparison but not hashes

@prabhu @setchy I have tested with the snapshots, updated the ones which required updating (properties expanded for a couple) and there's one thing I need to check on.

Change of scope from optional to required for bouncy castles dependencies for netty. The netty pom indicates these are optional. Thoughts?

{
  "bom-ref": "pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.69?type=jar",
  "description": "The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.",
  "name": "bcpkix-jdk15on",
  "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.69?type=jar",
  "scope": "optional",
  "type": "framework",
  "version": "1.69"
}

{
  "bom-ref": "pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.69?type=jar",
  "description": "The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.",
  "name": "bcpkix-jdk15on",
  "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.69?type=jar",
  "scope": "required",
  "type": "framework",
  "version": "1.69"
}

<dependency>
  <groupId>org.bouncycastle</groupId>
  <artifactId>bcpkix-jdk15on</artifactId>
  <version>1.69</version>
  <scope>compile</scope>
  <optional>true</optional>
</dependency>

<!--
  Completely optional and only needed for OCSP stapling to construct and
  parse OCSP requests and responses.
-->
<dependency>
  <groupId>org.bouncycastle</groupId>
  <artifactId>bcprov-jdk15on</artifactId>
  <version>1.69</version>
  <scope>compile</scope>
  <optional>true</optional>
</dependency>

<!--
  Completely optional and only needed for ALPN.
-->
<dependency>
  <groupId>org.bouncycastle</groupId>
  <artifactId>bctls-jdk15on</artifactId>
  <version>1.69</version>
  <scope>compile</scope>
  <optional>true</optional>
</dependency>

Closes #1112

@prabhu
Copy link
Collaborator

prabhu commented Jun 8, 2024

@cerrussell, Impressive work!

Change of scope from optional to required for bouncy castles dependencies for netty

I think the cyclonedx maven plugin currently over-reports required dependencies. I noticed this while trying the new maven deps tree approach using the environment variable PREFER_MAVEN_DEPS_TREE=true. Are you seeing the differences upon repeated runs for the same project?

@cerrussell
Copy link
Contributor Author

@prabhu I don't have PREFER_MAVEN_DEPS_TREE=true but I get this for netty@7ad2b91515b3affaeadb4b2975cd6d2a8342c403

@prabhu
Copy link
Collaborator

prabhu commented Jun 11, 2024

@cerrussell any updates? Did you get a chance to test the last two versions of the cyclonedx maven plugin directly?

@cerrussell
Copy link
Contributor Author

@prabhu I ran the maven plugin directly and got the same thing. However, I did a bit of digging and I think what's actually happened is the devs at netty thought they had made these dependencies optional but because of the way one of their plugins worked, they were mandatory. This commit (Remove unwanted mandatory dependency in OSGi) details what happened and it makes sense why cyclonedx maven plugin changed what were intended to be optional dependencies to required... it is actually correct.

I'm therefore going to update the netty bom and then we should be good to go.

@cerrussell cerrussell mentioned this pull request Jun 11, 2024
Merged
@cerrussell
Update snapshot tests to integrate new custom-json-diff functionality.
d224c30 
Signed-off-by: Caroline Russell <caroline@appthreat.dev>
@cerrussell
Resolve workflow pnpm issue, add includes for snapshot tests.
50cd31b 
Signed-off-by: Caroline Russell <caroline@appthreat.dev>

Troubleshoot pnpm issue.

Signed-off-by: Caroline Russell <caroline@appthreat.dev>
@cerrussell
Update netty commit.
0a76b01 
Signed-off-by: Caroline Russell <caroline@appthreat.dev>
@cerrussell cerrussell marked this pull request as ready for review June 12, 2024 03:06
@cerrussell
Copy link
Contributor Author

@prabhu @setchy ready for review

@cerrussell
Use package.json pnpm version, remove unneeded atom installation.
df39dcf 
Signed-off-by: Caroline Russell <caroline@appthreat.dev>
@cerrussell cerrussell requested a review from prabhu June 12, 2024 19:50
@prabhu prabhu merged commit ab1f716 into master Jun 13, 2024
25 checks passed
@prabhu prabhu deleted the fix/custom-json-diff branch June 13, 2024 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@setchy setchy Awaiting requested review from setchy

@prabhu prabhu Awaiting requested review from prabhu prabhu is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Snapshot Tests - sample project dependency issue
2 participants
@cerrussell @prabhu