Skip to content

Pipeline for Maven #1953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Pipeline for Maven #1953

wants to merge 14 commits into from

Conversation

@chinyeungli
Copy link
Contributor

@chinyeungli chinyeungli commented Nov 13, 2025

Issue: #1763

Create a pipeline for Maven package

@chinyeungli chinyeungli requested a review from tdruez November 13, 2025 10:40
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
@chinyeungli
Refactor code and add tests #1763
13e8e88 
Signed-off-by: Chin Yeung Li <[email protected]>
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 14, 2025
View reviewed changes
@chinyeungli
Implement "update_package_license_from_resource_if_missing" function #…
cb623c1 
…1763

- Update package's license if missing while the same package has license detected in RESOURCES

Signed-off-by: Chin Yeung Li <[email protected]>
@chinyeungli
Only work with "maven" package type #1763
b937cff 
Signed-off-by: Chin Yeung Li <[email protected]>
@chinyeungli
Update docstring description #1763
0bbe979 
Signed-off-by: Chin Yeung Li <[email protected]>
@chinyeungli
Add test for the "scan_maven_package" pipeline #1763
2b3c9bb 
Signed-off-by: Chin Yeung Li <[email protected]>
@chinyeungli
Fix the Incomplete URL substring sanitization #1763
9a11dd8 
Signed-off-by: Chin Yeung Li <[email protected]>
@chinyeungli chinyeungli mentioned this pull request Nov 18, 2025
Open
tdruez
tdruez requested changes Nov 19, 2025
View reviewed changes
Copy link
Contributor

@tdruez tdruez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Create a new maven pipe module in place of use resolve
  • Opening and loading a large file to make edits multiple times in various steps is not great.
  • To be discussed: Do we need a dedicated pipeline for just an extra step? Shouldn't the original scan_single_package detect that it's a Maven package and apply the necessary? Any reason to keep this new logic separated?

scanpipe/pipelines/scan_maven_package.py Outdated
Comment on lines 57 to 74
with open(self.scan_output_location) as file:
data = json.load(file)
# Return and do nothing if data has pom.xml
for file in data["files"]:
if "pom.xml" in file["path"]:
return
packages = data.get("packages", [])

pom_url_list = get_pom_url_list(self.project.input_sources[0], packages)
pom_file_list = download_pom_files(pom_url_list)
scanned_pom_packages, scanned_dependencies = scan_pom_files(pom_file_list)

updated_packages = packages + scanned_pom_packages
# Replace/Update the package and dependencies section
data["packages"] = updated_packages
data["dependencies"] = scanned_dependencies
with open(self.scan_output_location, "w") as file:
json.dump(data, file, indent=2)
Copy link
Contributor

@tdruez tdruez Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code logic should not be on the pipeline itself but in dedictated and easilly testable pipe functions

scanpipe/pipelines/scan_single_package.py Outdated
cls.extract_input_to_codebase_directory,
cls.extract_archives,
cls.run_scan,
cls.update_package_license_from_resource_if_missing,
Copy link
Contributor

@tdruez tdruez Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may have quite an impact on the default ScanSinglePackage results. We should probably handle this one separatly of the Maven context.

scanpipe/pipelines/scan_single_package.py Outdated
if not packages or not resources:
return

updated_packages = update_package_license_from_resource_if_missing(
Copy link
Contributor

@tdruez tdruez Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use database queries instead of manipulating complex dictionaries.

scanpipe/pipes/resolve.py Outdated
return pom_file_list


def scan_pom_files(pom_file_list):
Copy link
Contributor

@tdruez tdruez Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is too complex, it needs to be refactored as smaller functions

scanpipe/pipes/resolve.py Outdated
return scanned_pom_packages, scanned_pom_deps


def update_package_license_from_resource_if_missing(packages, resources):
Copy link
Contributor

@tdruez tdruez Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be query-based.

@chinyeungli
Add "maven.google.com" as a maven_hosts and accept .aar file #1763
f303430 
Signed-off-by: Chin Yeung Li <[email protected]>
@chinyeungli
Reorganize code structure and code enhancement #1763
ab71751 
- Create a new maven pipe module
- Use database queries for update_package_license_from_resource_if_missing()
- Add tests

Signed-off-by: Chin Yeung Li <[email protected]>
@chinyeungli
Update build-in-pipelines.rst #1763
5579db8 
Signed-off-by: Chin Yeung Li <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tdruez tdruez tdruez requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chinyeungli @tdruez