This repository has been archived by the owner on Jun 18, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6f7e66a
commit a7eeb60
Showing
12 changed files
with
530 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
group 'net.ossindex' | ||
version '1.0-SNAPSHOT' | ||
|
||
apply plugin: 'java' | ||
apply plugin: 'groovy' | ||
apply plugin: 'maven' | ||
|
||
sourceCompatibility = 1.8 | ||
|
||
repositories { | ||
mavenCentral() | ||
} | ||
|
||
dependencies { | ||
compile gradleApi() | ||
compile 'net.ossindex:ossindex-api:2.0.3' | ||
//compile 'org.eclipse.aether:aether-api:1.1.0' | ||
//compile 'org.eclipse.aether:aether-util:1.1.0' | ||
testCompile 'junit:junit:4.12' | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
rootProject.name = 'ossindex-gradle-plugin' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
package net.ossindex.gradle; | ||
|
||
import net.ossindex.gradle.audit.DependencyAuditor; | ||
import net.ossindex.gradle.input.GradleArtifact; | ||
import net.ossindex.gradle.input.ArtifactGatherer; | ||
import net.ossindex.gradle.output.AuditResultReporter; | ||
import org.gradle.api.Plugin; | ||
import org.gradle.api.Project; | ||
import org.gradle.api.Task; | ||
import org.gradle.api.artifacts.ModuleVersionIdentifier; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
import java.io.IOException; | ||
import java.util.Set; | ||
|
||
public class OssIndexPlugin implements Plugin<Project> { | ||
|
||
private static final Logger logger = LoggerFactory.getLogger(OssIndexPlugin.class); | ||
|
||
@Override | ||
public void apply(Project project) { | ||
Task audit = project.task("audit"); | ||
audit.doLast(this::doAudit); | ||
} | ||
|
||
private void doAudit(Task task) { | ||
ArtifactGatherer gatherer = new ArtifactGatherer(); | ||
Set<GradleArtifact> gradleArtifacts = gatherer.gatherResolvedArtifacts(task.getProject()); | ||
DependencyAuditor auditor = new DependencyAuditor(gradleArtifacts); | ||
AuditResultReporter reporter = new AuditResultReporter(gradleArtifacts); | ||
|
||
logger.info(String.format("Found %s gradleArtifacts to audit", gradleArtifacts.size())); | ||
|
||
try { | ||
reporter.reportResult(auditor.runAudit()); | ||
} catch (IOException e) { | ||
e.printStackTrace(); | ||
} | ||
} | ||
|
||
} |
53 changes: 53 additions & 0 deletions
53
src/main/java/net/ossindex/gradle/audit/DependencyAuditor.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
package net.ossindex.gradle.audit; | ||
|
||
import net.ossindex.common.IPackageRequest; | ||
import net.ossindex.common.OssIndexApi; | ||
import net.ossindex.common.PackageDescriptor; | ||
import net.ossindex.gradle.input.GradleArtifact; | ||
|
||
import java.io.IOException; | ||
import java.util.*; | ||
|
||
public class DependencyAuditor { | ||
private Map<PackageDescriptor, PackageDescriptor> parents = new HashMap<PackageDescriptor, PackageDescriptor>(); | ||
private IPackageRequest request = OssIndexApi.createPackageRequest(); | ||
|
||
public DependencyAuditor(Set<GradleArtifact> gradleArtifacts) { | ||
addArtifactsToAudit(gradleArtifacts); | ||
} | ||
|
||
public Collection<MavenPackageDescriptor> runAudit() throws IOException { | ||
List<MavenPackageDescriptor> results = new LinkedList<>(); | ||
Collection<PackageDescriptor> packages = request.run(); | ||
for (PackageDescriptor pkg : packages) { | ||
MavenPackageDescriptor mvnPkg = new MavenPackageDescriptor(pkg); | ||
if (parents.containsKey(pkg)) { | ||
PackageDescriptor parent = parents.get(pkg); | ||
if (parent != null) { | ||
mvnPkg.setParent(new MavenIdWrapper(parent)); | ||
} | ||
} | ||
results.add(mvnPkg); | ||
} | ||
return results; | ||
} | ||
|
||
private void addArtifactsToAudit(Set<GradleArtifact> gradleArtifacts) { | ||
gradleArtifacts.forEach(this::addArtifact); | ||
} | ||
|
||
private void addPackageDependencies(PackageDescriptor parent, GradleArtifact gradleArtifact) { | ||
PackageDescriptor pkgDep = new PackageDescriptor("maven", gradleArtifact.getGroup(), gradleArtifact.getName(), gradleArtifact.getVersion()); | ||
if (!parents.containsKey(pkgDep)) { | ||
pkgDep = request.add("maven", gradleArtifact.getGroup(), gradleArtifact.getName(), gradleArtifact.getVersion()); | ||
parents.put(pkgDep, parent); | ||
} | ||
} | ||
|
||
private void addArtifact(GradleArtifact gradleArtifact) { | ||
PackageDescriptor parent = request.add("maven", gradleArtifact.getGroup(), gradleArtifact.getName(), gradleArtifact.getVersion()); | ||
parents.put(parent, null); | ||
gradleArtifact.getAllChildren().forEach(c -> addPackageDependencies(parent, c)); | ||
} | ||
|
||
} |
118 changes: 118 additions & 0 deletions
118
src/main/java/net/ossindex/gradle/audit/MavenIdWrapper.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
package net.ossindex.gradle.audit; | ||
|
||
import net.ossindex.common.PackageDescriptor; | ||
|
||
public class MavenIdWrapper { | ||
|
||
protected String groupId; | ||
protected String artifactId; | ||
protected String version; | ||
|
||
@Override | ||
public boolean equals(Object o) { | ||
if (this == o) return true; | ||
if (o == null || getClass() != o.getClass()) return false; | ||
|
||
MavenIdWrapper that = (MavenIdWrapper) o; | ||
|
||
return getMavenVersionId() != null ? getMavenVersionId().equals(that.getMavenVersionId()) : that.getMavenVersionId() == null; | ||
} | ||
|
||
@Override | ||
public int hashCode() { | ||
return getMavenVersionId() != null ? getMavenVersionId().hashCode() : 0; | ||
} | ||
|
||
/** | ||
* Required for serialization | ||
*/ | ||
public MavenIdWrapper() { | ||
|
||
} | ||
|
||
public MavenIdWrapper(PackageDescriptor pkg) { | ||
this.setGroupId(pkg.getGroup()); | ||
this.setArtifactId(pkg.getName()); | ||
this.setVersion(pkg.getVersion()); | ||
} | ||
|
||
/** | ||
* @return the groupId | ||
*/ | ||
public String getGroupId() { | ||
return groupId; | ||
} | ||
|
||
/** | ||
* @param groupId the groupId to set | ||
*/ | ||
public void setGroupId(String groupId) { | ||
this.groupId = groupId; | ||
} | ||
|
||
/** | ||
* @return the artifactId | ||
*/ | ||
public String getArtifactId() { | ||
return artifactId; | ||
} | ||
|
||
/** | ||
* @param artifactId the artifactId to set | ||
*/ | ||
public void setArtifactId(String artifactId) { | ||
this.artifactId = artifactId; | ||
} | ||
|
||
/** | ||
* @return the version | ||
*/ | ||
public String getVersion() { | ||
return version; | ||
} | ||
|
||
/** | ||
* @param version the version to set | ||
*/ | ||
public void setVersion(String version) { | ||
this.version = version; | ||
} | ||
|
||
/** | ||
* Get the Maven ID excluding the version | ||
* | ||
* @return the Maven ID | ||
*/ | ||
public String getMavenPackageId() { | ||
StringBuilder sb = new StringBuilder(); | ||
if (groupId != null) { | ||
sb.append(groupId); | ||
} | ||
sb.append(":"); | ||
if (artifactId != null) { | ||
sb.append(artifactId); | ||
} | ||
return sb.toString(); | ||
} | ||
|
||
/** | ||
* Get the maven ID including the version | ||
* | ||
* @return the maven ID | ||
*/ | ||
public String getMavenVersionId() { | ||
StringBuilder sb = new StringBuilder(); | ||
if (groupId != null) { | ||
sb.append(groupId); | ||
} | ||
sb.append(":"); | ||
if (artifactId != null) { | ||
sb.append(artifactId); | ||
} | ||
sb.append(":"); | ||
if (version != null) { | ||
sb.append(version); | ||
} | ||
return sb.toString(); | ||
} | ||
} |
76 changes: 76 additions & 0 deletions
76
src/main/java/net/ossindex/gradle/audit/MavenPackageDescriptor.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
package net.ossindex.gradle.audit; | ||
|
||
import net.ossindex.common.PackageDescriptor; | ||
import net.ossindex.common.VulnerabilityDescriptor; | ||
import org.gradle.internal.impldep.com.google.gson.annotations.SerializedName; | ||
|
||
import javax.xml.bind.annotation.XmlElement; | ||
import javax.xml.bind.annotation.XmlElementWrapper; | ||
import java.util.List; | ||
|
||
public class MavenPackageDescriptor extends MavenIdWrapper { | ||
|
||
private MavenIdWrapper parent; | ||
|
||
@XmlElement(name = "vulnerability-total") | ||
@SerializedName("vulnerability-total") | ||
private int vulnerabilityTotal; | ||
|
||
@XmlElement(name = "vulnerability-matches") | ||
@SerializedName("vulnerability-matches") | ||
private int vulnerabilityMatches; | ||
|
||
@XmlElementWrapper(name = "vulnerabilities") | ||
@XmlElement(name = "vulnerability") | ||
private List<VulnerabilityDescriptor> vulnerabilities; | ||
|
||
/** | ||
* Constructor required by jaxb | ||
*/ | ||
public MavenPackageDescriptor() { | ||
|
||
} | ||
|
||
public MavenPackageDescriptor(PackageDescriptor pkg) { | ||
groupId = pkg.getGroup(); | ||
artifactId = pkg.getName(); | ||
version = pkg.getVersion(); | ||
vulnerabilityTotal = pkg.getVulnerabilityTotal(); | ||
vulnerabilityMatches = pkg.getVulnerabilityMatches(); | ||
vulnerabilities = pkg.getVulnerabilities(); | ||
} | ||
|
||
public void setParent(MavenIdWrapper parent) { | ||
this.parent = parent; | ||
} | ||
|
||
public MavenIdWrapper getParent() { | ||
return parent; | ||
} | ||
|
||
/** | ||
* Get the total number of vulnerabilities for the package identified on the server. | ||
* | ||
* @return Total number of vulnerabilities. | ||
*/ | ||
public int getVulnerabilityTotal() { | ||
return vulnerabilityTotal; | ||
} | ||
|
||
/** | ||
* Get the total number of vulnerabilities matching the supplied version. | ||
* | ||
* @return Number of matching vulnerabilities | ||
*/ | ||
public int getVulnerabilityMatches() { | ||
return vulnerabilityMatches; | ||
} | ||
|
||
/** | ||
* Get vulnerabilities belonging to this package. | ||
*/ | ||
public List<VulnerabilityDescriptor> getVulnerabilities() { | ||
return vulnerabilities; | ||
} | ||
|
||
} |
34 changes: 34 additions & 0 deletions
34
src/main/java/net/ossindex/gradle/audit/OssIndexResultsWrapper.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
package net.ossindex.gradle.audit; | ||
|
||
import net.ossindex.gradle.audit.MavenPackageDescriptor; | ||
|
||
import javax.xml.bind.annotation.XmlElement; | ||
import javax.xml.bind.annotation.XmlElementWrapper; | ||
import javax.xml.bind.annotation.XmlRootElement; | ||
import java.util.Collection; | ||
|
||
@XmlRootElement(name = "OssIndex") | ||
public class OssIndexResultsWrapper { | ||
|
||
private Collection<MavenPackageDescriptor> packages; | ||
|
||
public OssIndexResultsWrapper() { | ||
|
||
} | ||
|
||
public OssIndexResultsWrapper(Collection<MavenPackageDescriptor> results) { | ||
this.setPackages(results); | ||
} | ||
|
||
public Collection<MavenPackageDescriptor> getPackages() { | ||
return packages; | ||
} | ||
|
||
@XmlElementWrapper(name="packages") | ||
@XmlElement(name = "package") | ||
public void setPackages(Collection<MavenPackageDescriptor> packages) { | ||
this.packages = packages; | ||
} | ||
|
||
} | ||
|
19 changes: 19 additions & 0 deletions
19
src/main/java/net/ossindex/gradle/input/ArtifactGatherer.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
package net.ossindex.gradle.input; | ||
|
||
import org.gradle.api.Project; | ||
import org.gradle.api.artifacts.Configuration; | ||
|
||
import java.util.Set; | ||
import java.util.stream.Collectors; | ||
|
||
public class ArtifactGatherer { | ||
public Set<GradleArtifact> gatherResolvedArtifacts(Project project) { | ||
return project | ||
.getConfigurations() | ||
.stream() | ||
.filter(Configuration::isCanBeResolved) | ||
.flatMap(c -> c.getResolvedConfiguration().getFirstLevelModuleDependencies().stream()) | ||
.map(it -> new GradleArtifact(null, it)) | ||
.collect(Collectors.toSet()); | ||
} | ||
} |
Oops, something went wrong.