Merge pull request #228 from aloubyansky/sbom-tool-info

Add SBOM tool info

domino/api/pom.xml

@@ -7,7 +7,7 @@
   </parent>
 
   <artifactId>quarkus-domino-api</artifactId>
-  <name>Quarkus - Platform BOM Tools - Domino - API</name>
+  <name>Quarkus - Platform BOM Tools - Domino - Dependency analyzer</name>
 
   <dependencies>
     <dependency>
@@ -69,15 +69,6 @@
       <plugin>
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>templating-maven-plugin</artifactId>
-        <version>1.0.0</version>
-        <executions>
-          <execution>
-            <id>filter-src</id>
-            <goals>
-              <goal>filter-sources</goal>
-            </goals>
-          </execution>
-        </executions>
       </plugin>
     </plugins>
   </build>

domino/api/src/main/java-templates/io/quarkus/domino/DominoInfo.java

@@ -0,0 +1,7 @@
+package io.quarkus.domino;
+
+public interface DominoInfo {
+    String VERSION = "${project.version}";
+    String PROJECT_NAME = "${project.name}";
+    String ORGANIZATION_NAME = "${project.organization.name}";
+}

domino/api/src/main/java/io/quarkus/domino/GradleProjectReader.java

@@ -104,7 +104,7 @@ private static Path generateDominoInitScript(Path projectDir) {
             out.println("    }");
             out.println("    dependencies {");
             out.println(
-                    "        classpath \"io.quarkus.domino:io.quarkus.domino.gradle.plugin:" + DominoVersion.VERSION + "\"");
+                    "        classpath \"io.quarkus.domino:io.quarkus.domino.gradle.plugin:" + DominoInfo.VERSION + "\"");
             out.println("    }");
             out.println("}");
             out.println("allprojects {");

domino/api/src/main/java/io/quarkus/domino/MavenProjectReader.java

@@ -19,7 +19,8 @@ public class MavenProjectReader {
 
     private static final Map<String, String> PACKAGING_TYPE = Map.of(
             "maven-archetype", ArtifactCoords.TYPE_JAR,
-            "bundle", ArtifactCoords.TYPE_JAR);
+            "bundle", ArtifactCoords.TYPE_JAR,
+            "maven-plugin", ArtifactCoords.TYPE_JAR);
 
     private static String getTypeForPackaging(String packaging) {
         return PACKAGING_TYPE.getOrDefault(packaging, packaging);

domino/api/src/main/java/io/quarkus/domino/manifest/SbomGeneratingDependencyVisitor.java

@@ -11,14 +11,18 @@
 import io.quarkus.bootstrap.resolver.maven.workspace.LocalWorkspace;
 import io.quarkus.bootstrap.resolver.maven.workspace.ModelUtils;
 import io.quarkus.domino.DependencyTreeVisitor;
+import io.quarkus.domino.DominoInfo;
 import io.quarkus.domino.manifest.ManifestGenerator.BootstrapModelCache;
 import io.quarkus.domino.manifest.ManifestGenerator.SbomTransformContextImpl;
 import io.quarkus.maven.dependency.ArtifactCoords;
 import java.io.BufferedWriter;
 import java.io.File;
 import java.io.IOException;
+import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.util.ArrayDeque;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -48,15 +52,21 @@
 import org.cyclonedx.model.Component;
 import org.cyclonedx.model.Component.Type;
 import org.cyclonedx.model.Dependency;
+import org.cyclonedx.model.Hash;
 import org.cyclonedx.model.Metadata;
 import org.cyclonedx.model.Property;
+import org.cyclonedx.model.Tool;
 import org.eclipse.aether.artifact.Artifact;
 import org.eclipse.aether.artifact.DefaultArtifact;
 import org.eclipse.aether.repository.RemoteRepository;
 import org.eclipse.aether.resolution.ArtifactResult;
+import org.eclipse.jgit.util.Hex;
+import org.jboss.logging.Logger;
 
 public class SbomGeneratingDependencyVisitor implements DependencyTreeVisitor {
 
+    private static final Logger log = Logger.getLogger(SbomGeneratingDependencyVisitor.class);
+
     private final MavenArtifactResolver resolver;
     private final Path outputFile;
     private final ProductInfo productInfo;
@@ -89,8 +99,11 @@ public void beforeAllRoots() {
     public void afterAllRoots() {
         Bom bom = new Bom();
 
+        var metadata = new Metadata();
+        bom.setMetadata(metadata);
+        addToolInfo(metadata);
+
         if (productInfo != null) {
-            var metadata = new Metadata();
             var c = new Component();
             if (productInfo.getGroup() != null) {
                 c.setGroup(productInfo.getGroup());
@@ -117,7 +130,6 @@ public void afterAllRoots() {
                 c.addProperty(prop);
             }
             metadata.setComponent(c);
-            bom.setMetadata(metadata);
         }
 
         for (ArtifactCoords coords : sortAlphabetically(visitedComponents.keySet())) {
@@ -150,6 +162,88 @@ public void afterAllRoots() {
         }
     }
 
+    private void addToolInfo(Metadata metadata) {
+        var tool = new Tool();
+        tool.setName(DominoInfo.PROJECT_NAME);
+        tool.setVendor(DominoInfo.ORGANIZATION_NAME);
+        tool.setVersion(DominoInfo.VERSION);
+        metadata.setTools(List.of(tool));
+
+        var toolLocation = getToolLocation();
+        if (toolLocation == null) {
+            return;
+        }
+
+        String toolName = toolLocation.getFileName().toString();
+        if (toolName.endsWith(".jar")) {
+            toolName = toolName.substring(0, toolName.length() - ".jar".length());
+        }
+        String[] parts = toolName.split("-");
+        var sb = new StringBuilder();
+        for (int i = 0; i < parts.length; ++i) {
+            var s = parts[i];
+            if (s.isBlank()) {
+                continue;
+            }
+            sb.append(Character.toUpperCase(s.charAt(0)));
+            if (s.length() > 1) {
+                sb.append(s.substring(1));
+            }
+            sb.append(' ');
+        }
+        tool.setName(sb.append("SBOM Generator").toString());
+
+        final byte[] bytes;
+        try {
+            bytes = Files.readAllBytes(toolLocation);
+        } catch (IOException e) {
+            log.warn("Failed to read the tool's binary", e);
+            return;
+        }
+
+        final List<String> algs = List.of("MD5", "SHA-1", "SHA-256", "SHA-512", "SHA-384", "SHA3-384", "SHA3-256", "SHA3-512");
+        final List<Hash> hashes = new ArrayList<>(algs.size());
+        for (String alg : algs) {
+            var hash = getHash(alg, bytes);
+            if (hash != null) {
+                hashes.add(hash);
+            }
+        }
+        if (hashes != null) {
+            tool.setHashes(hashes);
+        }
+    }
+
+    private static Hash getHash(String alg, byte[] content) {
+        final MessageDigest md;
+        try {
+            md = MessageDigest.getInstance(alg);
+        } catch (NoSuchAlgorithmException e) {
+            log.warn("Failed to initialize a message digest with algorithm " + alg + ": " + e.getLocalizedMessage());
+            return null;
+        }
+        return new Hash(md.getAlgorithm(), Hex.toHexString(md.digest(content)));
+    }
+
+    private Path getToolLocation() {
+        var cs = getClass().getProtectionDomain().getCodeSource();
+        if (cs == null) {
+            log.warn("Failed to determine code source of the tool");
+            return null;
+        }
+        var url = cs.getLocation();
+        if (url == null) {
+            log.warn("Failed to determine code source URL of the tool");
+            return null;
+        }
+        try {
+            return Path.of(url.toURI());
+        } catch (URISyntaxException e) {
+            log.warn("Failed to translate " + url + " to a file system path", e);
+            return null;
+        }
+    }
+
     private static List<ArtifactCoords> sortAlphabetically(Collection<ArtifactCoords> col) {
         final List<ArtifactCoords> list = new ArrayList<>(col);
         Collections.sort(list, new Comparator<ArtifactCoords>() {

domino/app/pom.xml

@@ -7,7 +7,7 @@
     <version>0.0.82-SNAPSHOT</version>
   </parent>
   <artifactId>quarkus-domino</artifactId>
-  <name>Quarkus - Platform BOM Tools - Domino - App</name>
+  <name>Quarkus - Platform BOM Tools - Domino - CLI</name>
   <properties>
     <quarkus.package.add-runner-suffix>false</quarkus.package.add-runner-suffix>
     <skipOriginalJarRename>true</skipOriginalJarRename>

domino/app/src/main/java/io/quarkus/domino/cli/Version.java

@@ -1,6 +1,6 @@
 package io.quarkus.domino.cli;
 
-import io.quarkus.domino.DominoVersion;
+import io.quarkus.domino.DominoInfo;
 import java.util.concurrent.Callable;
 import picocli.CommandLine;
 
@@ -9,7 +9,7 @@ public class Version implements Callable<Integer> {
 
     @Override
     public Integer call() throws Exception {
-        System.out.println(DominoVersion.VERSION);
+        System.out.println(DominoInfo.VERSION);
         return CommandLine.ExitCode.OK;
     }
 }

pom.xml

@@ -10,13 +10,16 @@
   <url>https://quarkus.io/</url>
   <developers>
     <developer>
-      <id>jboss.org</id>
-      <name>JBoss.org Community</name>
-      <organization>JBoss.org</organization>
-      <organizationUrl>http://www.jboss.org</organizationUrl>
+      <id>quarkus.io</id>
+      <name>Quarkus Community</name>
+      <organization>Quarkus Community</organization>
+      <organizationUrl>https://quarkus.io</organizationUrl>
     </developer>
   </developers>
-
+  <organization>
+    <name>Quarkus Community</name>
+    <url>https://quarkus.io</url>
+  </organization>
   <licenses>
     <license>
       <name>Apache License, Version 2.0</name>
@@ -215,6 +218,19 @@
             </systemPropertyVariables>
           </configuration>
         </plugin>
+        <plugin>
+          <groupId>org.codehaus.mojo</groupId>
+          <artifactId>templating-maven-plugin</artifactId>
+          <version>1.0.0</version>
+          <executions>
+            <execution>
+              <id>filter-src</id>
+              <goals>
+                <goal>filter-sources</goal>
+              </goals>
+            </execution>
+          </executions>
+        </plugin>
       </plugins>
     </pluginManagement>
   </build>