fix: parsing of artifact data to get component group/name/version

Updated in accordance with: https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/docs/result.md
project-ncl · Jan 9, 2025 · 961dd30 · 961dd30
1 parent fc6067a
commit 961dd30
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 33 deletions.
diff --git a/...ain/java/org/jboss/sbomer/cli/feature/sbom/command/CycloneDxGenerateOperationCommand.java b/...ain/java/org/jboss/sbomer/cli/feature/sbom/command/CycloneDxGenerateOperationCommand.java
@@ -206,21 +206,19 @@ protected Path doGenerate() {
             // pom.xml)
             if (!purlToComponents.containsKey(artifact.getArtifact().getPurl())) {
                 KojiBuild brewBuild = null;
-                BuildType buildType = null;
 
                 if (artifact.getArtifact().getBuild() != null) {
-                    buildType = artifact.getArtifact().getBuild().getBuildConfigRevision().getBuildType();
+                    // Artifact was built in PNC, so it has all the data we need
                 } else if (artifact.getBrewId() != null && artifact.getBrewId() > 0) {
                     brewBuild = kojiService.findBuild(artifact.getArtifact());
-                    buildType = BuildType.MVN;
                 } else {
                     log.warn(
                             "An artifact has been found with no associated build: '{}'. It will be added in the SBOM with generic type.",
                             artifact.getArtifact().getFilename());
                 }
 
                 // Create a component entry for the artifact
-                Component component = createComponent(artifact.getArtifact(), Scope.REQUIRED, Type.LIBRARY, buildType);
+                Component component = createComponent(artifact.getArtifact(), Scope.REQUIRED, Type.LIBRARY);
                 setArtifactMetadata(component, artifact.getArtifact(), pncService.getApiUrl());
                 setPncBuildMetadata(component, artifact.getArtifact().getBuild(), pncService.getApiUrl());
 

diff --git a/cli/src/main/java/org/jboss/sbomer/cli/feature/sbom/processor/DefaultProcessor.java b/cli/src/main/java/org/jboss/sbomer/cli/feature/sbom/processor/DefaultProcessor.java
@@ -332,10 +332,10 @@ private void addMissingNpmDependencies(Bom bom, Component component) {
             return;
         }
 
-        addMissingNpmDependencies(bom, component, npmDependencies, build.getBuildConfigRevision().getBuildType());
+        addMissingNpmDependencies(bom, component, npmDependencies);
     }
 
-    private void addMissingNpmDependencies(Bom bom, Component component, Collection<Artifact> npmDependencies, BuildType buildType) {
+    private void addMissingNpmDependencies(Bom bom, Component component, Collection<Artifact> npmDependencies) {
         Set<String> listedPurls = bom.getComponents()
                 .stream()
                 .map(DefaultProcessor::getPackageURL)
@@ -357,8 +357,7 @@ private void addMissingNpmDependencies(Bom bom, Component component, Collection<
             Component newComponent = createComponent(
                     artifact,
                     Component.Scope.REQUIRED,
-                    Component.Type.LIBRARY,
-                    buildType);
+                    Component.Type.LIBRARY);
             setArtifactMetadata(newComponent, artifact, pncService.getApiUrl());
             setPncBuildMetadata(newComponent, artifact.getBuild(), pncService.getApiUrl());
             bom.addComponent(newComponent);

diff --git a/cli/src/test/java/org/jboss/sbomer/cli/test/unit/feature/sbom/DefaultProcessorTest.java b/cli/src/test/java/org/jboss/sbomer/cli/test/unit/feature/sbom/DefaultProcessorTest.java
@@ -2,6 +2,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.when;
@@ -216,6 +217,9 @@ private static void verifyAddedNpmDependencies(Bom processed) {
         assertEquals("https://pnc.example.com/pnc-rest/v2/artifacts/2160610", onceArtifact.getUrl());
         assertTrue(getDependency("pkg:npm/[email protected]", mainDependency.getDependencies()).isPresent());
         assertTrue(getDependency("pkg:npm/[email protected]", processed.getDependencies()).isPresent());
+        assertNull(componentOnce.getGroup());
+        assertEquals("once", componentOnce.getName());
+        assertEquals("1.4.0", componentOnce.getVersion());
 
         Component componentKogito = getComponent(
                 processed,
@@ -241,6 +245,9 @@ private static void verifyAddedNpmDependencies(Bom processed) {
                 getDependency(
                         "pkg:npm/%40redhat/[email protected]",
                         processed.getDependencies()).isPresent());
+        assertEquals("@redhat", componentKogito.getGroup());
+        assertEquals("kogito-tooling-keyboard-shortcuts", componentKogito.getName());
+        assertEquals("0.9.0-2", componentKogito.getVersion());
     }
 
     private static Optional<Dependency> getDependency(String ref, List<Dependency> dependencies) {

diff --git a/core/src/main/java/org/jboss/sbomer/core/features/sbom/utils/SbomUtils.java b/core/src/main/java/org/jboss/sbomer/core/features/sbom/utils/SbomUtils.java
@@ -50,6 +50,8 @@
 import java.util.regex.Pattern;
 import java.util.stream.Stream;
 
+import org.commonjava.atlas.maven.ident.ref.SimpleArtifactRef;
+import org.commonjava.atlas.npm.ident.ref.NpmPackageRef;
 import org.cyclonedx.Version;
 import org.cyclonedx.exception.GeneratorException;
 import org.cyclonedx.exception.ParseException;
@@ -81,6 +83,7 @@
 import org.jboss.pnc.dto.Build;
 import org.jboss.pnc.dto.DeliverableAnalyzerOperation;
 import org.jboss.pnc.enums.BuildType;
+import org.jboss.pnc.restclient.util.ArtifactUtil;
 import org.jboss.sbomer.core.features.sbom.Constants;
 import org.jboss.sbomer.core.features.sbom.config.Config;
 import org.jboss.sbomer.core.features.sbom.config.OperationConfig;
@@ -161,27 +164,33 @@ public static Component createComponent(
         return component;
     }
 
-    private static void setCoordinates(Component component, String identifier, BuildType buildType) {
-
-        switch (buildType) {
-            case NPM:
-                String[] gv = identifier.split(":");
-                if (gv.length >= 1) {
-                    component.setGroup(gv[0]);
-                    component.setVersion(gv[1]);
+    private static void setCoordinates(Component component, Artifact artifact) {
+        switch (artifact.getTargetRepository().getRepositoryType()) {
+            case NPM: {
+                NpmPackageRef coordinates = ArtifactUtil.parseNPMCoordinates(artifact);
+                String[] scopeName = coordinates.getName().split("/");
+                if (scopeName.length == 2) {
+                    component.setGroup(scopeName[0]);
+                    component.setName(scopeName[1]);
+                } else if (scopeName.length == 1) {
+                    component.setName(scopeName[0]);
+                } else {
+                    log.warn("Unexpected number of slashes in NPM artifact name {}, using it fully", coordinates.getName());
+                    component.setName(coordinates.getName());
                 }
+                component.setVersion(coordinates.getVersionString());
                 break;
-            case MVN:
-            case GRADLE:
-            case SBT:
-            default:
-                String[] gaecv = identifier.split(":");
-
-                if (gaecv.length >= 3) {
-                    component.setGroup(gaecv[0]);
-                    component.setName(gaecv[1]);
-                    component.setVersion(gaecv[3]);
-                }
+            }
+            case MAVEN: {
+                SimpleArtifactRef coordinates = ArtifactUtil.parseMavenCoordinates(artifact);
+                component.setGroup(coordinates.getGroupId());
+                component.setName(coordinates.getArtifactId());
+                component.setVersion(coordinates.getVersionString());
+                break;
+            }
+            default: {
+                component.setName(artifact.getFilename());
+            }
         }
     }
 
@@ -311,14 +320,10 @@ public static void setProductMetadata(Component component, OperationConfig confi
                                 }));
     }
 
-    public static Component createComponent(Artifact artifact, Scope scope, Type type, BuildType buildType) {
+    public static Component createComponent(Artifact artifact, Scope scope, Type type) {
 
         Component component = new Component();
-        if (buildType != null) {
-            setCoordinates(component, artifact.getIdentifier(), buildType);
-        } else {
-            component.setName(artifact.getFilename());
-        }
+        setCoordinates(component, artifact);
         component.setScope(scope);
         component.setType(type);
         component.setPurl(artifact.getPurl());