change workflow

googleapis · Nov 27, 2024 · c527374 · c527374
1 parent 828bc56
commit c527374
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 26 deletions.
diff --git a/.github/workflows/analyze_dependency.yaml b/.github/workflows/analyze_dependency.yaml
@@ -27,10 +27,10 @@ jobs:
         distribution: temurin
         java-version: 17
         cache: maven
-    - name: Set up Maven
-      uses: stCarolas/setup-maven@v4.5
-      with:
-        maven-version: 3.8.2
+    - name: Install modules
+      shell: bash
+      run: |
+        mvn clean install -V --batch-mode --no-transfer-progress -DskipTests
     - name: Install dependency analyzer
       shell: bash
       run: |
@@ -39,5 +39,5 @@ jobs:
     - name: Check dependency information
       shell: bash
       run: |
-        mvn exec:java -Ddep.system=${{ github.event.inputs.system }} -Ddep.name=${{ github.event.inputs.name }} -Ddep.version=${{ github.event.inputs.version }}
+        mvn exec:java
       working-directory: java-shared-dependencies/dependency-analyzer
diff --git a/java-shared-dependencies/dependency-analyzer/pom.xml b/java-shared-dependencies/dependency-analyzer/pom.xml
@@ -64,6 +64,11 @@
       <artifactId>guava</artifactId>
       <version>33.3.1-jre</version>
     </dependency>
+    <dependency>
+      <groupId>com.google.cloud.tools</groupId>
+      <artifactId>dependencies</artifactId>
+      <version>1.5.13</version>
+    </dependency>
     <!-- test dependencies   -->
     <dependency>
       <groupId>org.mockito</groupId>

diff --git a/...d-dependencies/dependency-analyzer/src/main/java/com/google/cloud/DependencyAnalyzer.java b/...d-dependencies/dependency-analyzer/src/main/java/com/google/cloud/DependencyAnalyzer.java
@@ -7,21 +7,28 @@
 import com.google.cloud.model.AdvisoryKey;
 import com.google.cloud.model.AnalysisResult;
 import com.google.cloud.model.License;
-import com.google.cloud.model.ReportResult;
 import com.google.cloud.model.PackageInfo;
 import com.google.cloud.model.QueryResult;
+import com.google.cloud.model.ReportResult;
 import com.google.cloud.model.Result;
 import com.google.cloud.model.Version;
 import com.google.cloud.model.VersionKey;
+import com.google.cloud.tools.opensource.classpath.ClassPathBuilder;
+import com.google.cloud.tools.opensource.classpath.DependencyMediation;
+import com.google.cloud.tools.opensource.dependencies.Bom;
+import com.google.cloud.tools.opensource.dependencies.MavenRepositoryException;
 import java.io.IOException;
 import java.net.URISyntaxException;
 import java.net.http.HttpClient;
+import java.nio.file.Paths;
 import java.util.ArrayDeque;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Queue;
 import java.util.Set;
+import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.version.InvalidVersionSpecificationException;
 
 public class DependencyAnalyzer {
 
@@ -31,9 +38,45 @@ public DependencyAnalyzer(DepsDevClient depsDevClient) {
     this.depsDevClient = depsDevClient;
   }
 
-  public AnalysisResult analyze(String system, String packageName, String packageVersion)
-      throws URISyntaxException, IOException, InterruptedException, IllegalArgumentException {
-    VersionKey root = VersionKey.from(system, packageName, packageVersion);
+  public AnalysisResult analyze(String bomPath)
+      throws URISyntaxException, IOException, InterruptedException {
+    List<PackageInfo> packageInfos = new ArrayList<>();
+    try {
+      Set<VersionKey> roots = getManagedDependenciesFromBom(Bom.readBom(Paths.get(bomPath)));
+      for (VersionKey versionKey : roots) {
+        if (versionKey.isSnapshot()) {
+          continue;
+        }
+        packageInfos.addAll(getPackageInfoFrom(versionKey));
+      }
+
+    } catch (MavenRepositoryException | InvalidVersionSpecificationException ex) {
+      System.out.printf("Caught exception when resolving dependencies from %s.", bomPath);
+      ex.printStackTrace();
+      System.exit(1);
+    }
+
+    return AnalysisResult.of(packageInfos);
+  }
+
+  private static Set<VersionKey> getManagedDependenciesFromBom(Bom bom)
+      throws InvalidVersionSpecificationException {
+    Set<VersionKey> res = new HashSet<>();
+    new ClassPathBuilder()
+        .resolve(bom.getManagedDependencies(), false, DependencyMediation.MAVEN)
+        .getClassPath()
+        .forEach(
+            classPath -> {
+              Artifact artifact = classPath.getArtifact();
+              String pkg = String.format("%s:%s", artifact.getGroupId(), artifact.getArtifactId());
+              res.add(VersionKey.from("MAVEN", pkg, artifact.getVersion()));
+            });
+
+    return res;
+  }
+
+  private List<PackageInfo> getPackageInfoFrom(VersionKey root)
+      throws URISyntaxException, IOException, InterruptedException {
     Set<VersionKey> seenPackage = new HashSet<>();
     seenPackage.add(root);
     Queue<VersionKey> queue = new ArrayDeque<>();
@@ -42,14 +85,16 @@ public AnalysisResult analyze(String system, String packageName, String packageV
     while (!queue.isEmpty()) {
       VersionKey versionKey = queue.poll();
       dependencies.add(versionKey);
+      if (versionKey.toString().equals("org.graalvm.sdk:nativeimage:24.1.1")) {
+        continue;
+      }
       List<VersionKey> directDependencies = depsDevClient.getDirectDependencies(versionKey);
       // only add unseen dependencies to the queue.
       directDependencies
           .stream()
           .filter(seenPackage::add)
           .forEach(queue::offer);
     }
-
     List<PackageInfo> result = new ArrayList<>();
     for (VersionKey versionKey : dependencies) {
       QueryResult packageInfo = depsDevClient.getQueryResult(versionKey);
@@ -64,11 +109,10 @@ public AnalysisResult analyze(String system, String packageName, String packageV
           advisories.add(depsDevClient.getAdvisory(advisoryKey.id()));
         }
       }
-
       result.add(new PackageInfo(versionKey, licenses, advisories));
     }
 
-    return AnalysisResult.of(result);
+    return result;
   }
 
   /**
@@ -88,23 +132,11 @@ public AnalysisResult analyze(String system, String packageName, String packageV
    * package management system.
    */
   public static void main(String[] args) throws IllegalArgumentException {
-    checkArgument(args.length == 3,
-        """
-            The length of the inputs should be 3.
-            The 1st input should be the package management system.
-            The 2nd input should be the package name.
-            The 3rd input should be the package version.
-            """
-    );
-
-    String system = args[0];
-    String packageName = args[1];
-    String packageVersion = args[2];
     DependencyAnalyzer dependencyAnalyzer = new DependencyAnalyzer(
         new DepsDevClient(HttpClient.newHttpClient()));
     AnalysisResult analyzeReport = null;
     try {
-      analyzeReport = dependencyAnalyzer.analyze(system, packageName, packageVersion);
+      analyzeReport = dependencyAnalyzer.analyze("java-shared-dependencies/pom.xml");
     } catch (URISyntaxException | IOException | InterruptedException ex) {
       System.out.println(
           "Caught exception when fetching package information from https://deps.dev/");

diff --git a/...shared-dependencies/dependency-analyzer/src/main/java/com/google/cloud/model/License.java b/...shared-dependencies/dependency-analyzer/src/main/java/com/google/cloud/model/License.java
@@ -1,6 +1,7 @@
 package com.google.cloud.model;
 
 import static com.google.cloud.model.LicenseCategory.NOTICE;
+import static com.google.cloud.model.LicenseCategory.PERMISSIVE;
 import static com.google.cloud.model.LicenseCategory.RESTRICTED;
 
 import com.google.common.collect.ImmutableSet;
@@ -16,10 +17,13 @@
 public enum License {
   APACHE_2_0("Apache-2.0", Set.of(NOTICE)),
   BCL("BCL", Set.of(RESTRICTED, NOTICE)),
+  BSD_2_CLAUSE("BSD-2-Clause", Set.of(NOTICE)),
   BSD_3_CLAUSE("BSD-3-Clause", Set.of(NOTICE)),
   GL2PS("GL2PS", Set.of(RESTRICTED, NOTICE)),
+  GPL_2_0_WITH_CLASSPATH_EXCEPTION("GPL-2.0-with-classpath-exception", Set.of(PERMISSIVE)),
   MIT("MIT", Set.of(NOTICE)),
-  NOT_RECOGNIZED("Not-Recognized", Set.of());
+  NOT_RECOGNIZED("Not-Recognized", Set.of()),
+  UPL_1_0("UPL-1.0", Set.of(NOTICE));
 
   private final static Logger LOGGER = Logger.getLogger(License.class.getName());
 

diff --git a/...red-dependencies/dependency-analyzer/src/main/java/com/google/cloud/model/VersionKey.java b/...red-dependencies/dependency-analyzer/src/main/java/com/google/cloud/model/VersionKey.java
@@ -20,6 +20,10 @@ public static VersionKey from(String system, String name, String version)
     return new VersionKey(pkg, name, version);
   }
 
+  public boolean isSnapshot() {
+    return version.endsWith("SNAPSHOT");
+  }
+
   @Override
   public String toString() {
     if (pkgManagement == PkgManagement.MAVEN) {