From 30c8c0d1462f448ad8c40dc77b646ae556f2f3ea Mon Sep 17 00:00:00 2001 From: edler-san Date: Thu, 14 Nov 2024 13:35:54 +0100 Subject: [PATCH 1/3] Added project for Vaadin core SBOM checks --- scripts/checkCoreLicenses.sh | 27 ++++++++++ scripts/data/approved-licenses.txt | 34 ++++++++++++ vaadin-core-sbom/pom.xml | 87 ++++++++++++++++++++++++++++++ 3 files changed, 148 insertions(+) create mode 100755 scripts/checkCoreLicenses.sh create mode 100644 scripts/data/approved-licenses.txt create mode 100644 vaadin-core-sbom/pom.xml diff --git a/scripts/checkCoreLicenses.sh b/scripts/checkCoreLicenses.sh new file mode 100755 index 000000000..2a2d3b88c --- /dev/null +++ b/scripts/checkCoreLicenses.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +# script requires jq (sudo apt install jq) for processing JSON files +if ! command -v jq 2>&1 >/dev/null +then + echo "'jq' could not be found. Please install it." + exit 1 +fi + +cd vaadin-core-sbom +mvn -ntp -B org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -q -T 1C +# create file with the licenses that have been found +# since projects differ the actual license is listed either in components>licenses>license>id or components>licenses>license>id in the JSON file +cat target/bom.json | jq '.components[].licenses[].license | select(.id != null) | .id' > target/found_licenses.txt #overwrite older version if exists +# add the ones listed under the 'name' attribute +cat target/bom.json | jq '.components[].licenses[].license | select(.name != null) | .name' >> target/found_licenses.txt +sort -u target/found_licenses.txt > target/found_licenses_sorted.txt + +grep -Fvf ../scripts/data/approved-licenses.txt target/found_licenses_sorted.txt > target/unknown_licenses.txt + +if [ -s target/unknown_licenses.txt ]; then + echo "Found unknown licenses: "; + cat target/unknown_licenses.txt; + exit 1; +else echo "No unknown licenses found"; + exit 0; +fi diff --git a/scripts/data/approved-licenses.txt b/scripts/data/approved-licenses.txt new file mode 100644 index 000000000..d780d38f7 --- /dev/null +++ b/scripts/data/approved-licenses.txt @@ -0,0 +1,34 @@ +0BSD +AFL-2.1 +Apache 2.0 +Apache-1.1 +Apache-2.0 +BSD-2-Clause +BSD-3-Clause +BSD-4-Clause +BlueOak-1.0.0 +CC-BY-3.0 +CC-BY-4.0 +CC0-1.0 +CDDL +CDDL-1.0 +EPL-1.0 +EPL-2.0 +GPL-2.0-with-classpath-exception +ISC +LGPL-2.1-only +LGPL-2.1-or-later +MIT +MIT-0 +MPL-1.1 +WTFPL +Zlib +http://font.ubuntu.com/ufl/ubuntu-font-licence-1.0.txt +http://oss.sgi.com/projects/FreeB +http://www.gnu.org/licenses/lgpl-3.0.html +http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html +http://www.spdx.org/licenses/BSD-4-Clause +https://opensource.org/licenses/MIT +https://www.bouncycastle.org/licence.html +https://www.gnu.org/software/classpath/license.html +https://www.highcharts.com/license diff --git a/vaadin-core-sbom/pom.xml b/vaadin-core-sbom/pom.xml new file mode 100644 index 000000000..c6e8b61a6 --- /dev/null +++ b/vaadin-core-sbom/pom.xml @@ -0,0 +1,87 @@ + + 4.0.0 + + com.vaadin + vaadin-platform-parent + 24.5.3 + + vaadin-core-sbom + jar + + 17 + 17 + UTF-8 + UTF-8 + + + + + com.vaadin + vaadin-bom + ${project.version} + pom + import + + + + + + + com.vaadin + vaadin-core + + + com.vaadin + vaadin-spring-boot-starter + + + com.vaadin + flow-webpush + + + com.vaadin + copilot + + + + + + + + production + + + + com.vaadin + vaadin-maven-plugin + + + + prepare-frontend + build-frontend + + + + + + org.eclipse.jetty + jetty-maven-plugin + ${jetty.version} + + + + + + com.vaadin + flow-server-production-mode + + + + + From 84403271a60f9b34d9d04b9776af6d0600063376 Mon Sep 17 00:00:00 2001 From: edler-san Date: Tue, 19 Nov 2024 17:51:56 +0100 Subject: [PATCH 2/3] Integrated core license check into the generateAndCheckSBOM script --- scripts/checkCoreLicenses.sh | 27 ------------------- scripts/data/approved-licenses.txt | 34 ----------------------- scripts/generateAndCheckSBOM.js | 38 ++++++++++++++++++++++++-- vaadin-core-sbom/pom.xml | 43 ------------------------------ 4 files changed, 36 insertions(+), 106 deletions(-) delete mode 100755 scripts/checkCoreLicenses.sh delete mode 100644 scripts/data/approved-licenses.txt diff --git a/scripts/checkCoreLicenses.sh b/scripts/checkCoreLicenses.sh deleted file mode 100755 index 2a2d3b88c..000000000 --- a/scripts/checkCoreLicenses.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash - -# script requires jq (sudo apt install jq) for processing JSON files -if ! command -v jq 2>&1 >/dev/null -then - echo "'jq' could not be found. Please install it." - exit 1 -fi - -cd vaadin-core-sbom -mvn -ntp -B org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -q -T 1C -# create file with the licenses that have been found -# since projects differ the actual license is listed either in components>licenses>license>id or components>licenses>license>id in the JSON file -cat target/bom.json | jq '.components[].licenses[].license | select(.id != null) | .id' > target/found_licenses.txt #overwrite older version if exists -# add the ones listed under the 'name' attribute -cat target/bom.json | jq '.components[].licenses[].license | select(.name != null) | .name' >> target/found_licenses.txt -sort -u target/found_licenses.txt > target/found_licenses_sorted.txt - -grep -Fvf ../scripts/data/approved-licenses.txt target/found_licenses_sorted.txt > target/unknown_licenses.txt - -if [ -s target/unknown_licenses.txt ]; then - echo "Found unknown licenses: "; - cat target/unknown_licenses.txt; - exit 1; -else echo "No unknown licenses found"; - exit 0; -fi diff --git a/scripts/data/approved-licenses.txt b/scripts/data/approved-licenses.txt deleted file mode 100644 index d780d38f7..000000000 --- a/scripts/data/approved-licenses.txt +++ /dev/null @@ -1,34 +0,0 @@ -0BSD -AFL-2.1 -Apache 2.0 -Apache-1.1 -Apache-2.0 -BSD-2-Clause -BSD-3-Clause -BSD-4-Clause -BlueOak-1.0.0 -CC-BY-3.0 -CC-BY-4.0 -CC0-1.0 -CDDL -CDDL-1.0 -EPL-1.0 -EPL-2.0 -GPL-2.0-with-classpath-exception -ISC -LGPL-2.1-only -LGPL-2.1-or-later -MIT -MIT-0 -MPL-1.1 -WTFPL -Zlib -http://font.ubuntu.com/ufl/ubuntu-font-licence-1.0.txt -http://oss.sgi.com/projects/FreeB -http://www.gnu.org/licenses/lgpl-3.0.html -http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html -http://www.spdx.org/licenses/BSD-4-Clause -https://opensource.org/licenses/MIT -https://www.bouncycastle.org/licence.html -https://www.gnu.org/software/classpath/license.html -https://www.highcharts.com/license diff --git a/scripts/generateAndCheckSBOM.js b/scripts/generateAndCheckSBOM.js index 953e614f5..2f9170608 100755 --- a/scripts/generateAndCheckSBOM.js +++ b/scripts/generateAndCheckSBOM.js @@ -11,6 +11,7 @@ const path = require('path'); const VAADIN_LICENSE = 'https://vaadin.com/commercial-license-and-service-terms'; const SBOM_URL = 'https://github.com/vaadin/platform/releases/download/%%VERSION%%/Software.Bill.Of.Materials.json' const testProject = path.resolve('vaadin-platform-sbom'); +const coreProject = path.resolve('vaadin-core-sbom'); const licenseWhiteList = [ 'ISC', 'MIT', @@ -89,7 +90,7 @@ pre[b] {border: solid 1px darkgrey} `; const cmd = { - useBomber: true, useOSV: true, useOWASP: true, + useBomber: true, useOSV: true, useOWASP: true, checkCoreLicenses : true, hasOssToken: !!(process.env.OSSINDEX_USER && process.env.OSSINDEX_TOKEN) }; for (let i = 2, l = process.argv.length; i < l; i++) { @@ -102,9 +103,10 @@ for (let i = 2, l = process.argv.length; i < l; i++) { case '--version': cmd.version = process.argv[++i]; break; case '--compare': cmd.org = process.argv[++i]; break; case '--quick': cmd.quick = true; break; + case '--skip-check-core-licenses' : cmd.checkCoreLicenses = false; break; default: console.log(`Usage: ${path.relative('.', process.argv[1])} - [--useSnapshots] [--disable-bomber] [--disable-osv-scan] [--disable-owasp] [--enable-full-owasp] [--version x.x.x] [--quick]`); + [--useSnapshots] [--disable-bomber] [--disable-osv-scan] [--disable-owasp] [--enable-full-owasp] [--version x.x.x] [--quick] [--skip-check-core-licenses]`); process.exit(1); } } @@ -397,6 +399,12 @@ function checkLicenses(licenses) { return ret; } +function checkCoreLicenses(){ + let ret=""; + console.log("Starting license check for Vaadin Core."); + return ret; +} + function checkVunerabilities(vuls) { let err = "", msg = ""; Object.keys(vuls).forEach(v => { @@ -539,6 +547,16 @@ async function main() { log(`cd ${testProject}`); process.chdir(testProject); + let coreLicensesResult=undefined; + let coreLicenses=undefined; + + if(cmd.checkCoreLicenses){ + log(`generating Core SBOM`); + await run('mvn -ntp -B org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -q -f ../vaadin-core-sbom'); + coreLicenses = sumarizeLicenses('../vaadin-core-sbom/target/bom.json'); + coreLicensesResult = checkLicenses(coreLicenses); + } + if (!cmd.quick) { // Ensure package.json and node_modules are empty await run('rm -rf package.json node_modules frontend src'); @@ -590,6 +608,8 @@ async function main() { sumarizeOWASP('target/dependency-check-report.json', vulnerabilities); } + + const errLic = checkLicenses(licenses); const errVul = checkVunerabilities(vulnerabilities).err; const msgVul = checkVunerabilities(vulnerabilities).msg; @@ -617,6 +637,20 @@ async function main() { md += `\n### 🔒 No Vulnerabilities\n`; html += `\n

🔒 No Vulnerabilities

\n`; } + + if (cmd.checkCoreLicenses) { + if (coreLicensesResult) { + md += `\n### 🚫 Found Core License Issues\n`; + html += `\n

>🚫 Found Core License Issues

\n`; + md += reportLicenses(coreLicenses).md; + html += reportLicenses(coreLicenses).html; + } else { + errMsg += `- 📔 No Core License Issues\n`; + md += `\n### 📔 CoreLicenses\n`; + html += `\n

📔 Core Licenses

\n`; + } + } + if (errLic) { md += `\n### 🚫 Found License Issues\n`; html += `\n

>🚫 Found License Issues

\n`; diff --git a/vaadin-core-sbom/pom.xml b/vaadin-core-sbom/pom.xml index c6e8b61a6..ebe2ca3ad 100644 --- a/vaadin-core-sbom/pom.xml +++ b/vaadin-core-sbom/pom.xml @@ -40,48 +40,5 @@ com.vaadin flow-webpush - - com.vaadin - copilot - - - - - - - production - - - - com.vaadin - vaadin-maven-plugin - - - - prepare-frontend - build-frontend - - - - - - org.eclipse.jetty - jetty-maven-plugin - ${jetty.version} - - - - - - com.vaadin - flow-server-production-mode - - - - From 128fba2a7be5698a80f270176fd6f01b90212cfe Mon Sep 17 00:00:00 2001 From: edler-san Date: Wed, 20 Nov 2024 15:48:45 +0100 Subject: [PATCH 3/3] Generalised license check, added missing printout for core license check, switched to using coreProject var, updated core-sbom to 24.6.SNAPSHOT --- pom.xml | 1 + scripts/generateAndCheckSBOM.js | 21 +++++++++------------ vaadin-core-sbom/pom.xml | 2 +- 3 files changed, 11 insertions(+), 13 deletions(-) diff --git a/pom.xml b/pom.xml index d90e49472..181936c2f 100644 --- a/pom.xml +++ b/pom.xml @@ -35,6 +35,7 @@ sbom vaadin-platform-sbom + vaadin-core-sbom diff --git a/scripts/generateAndCheckSBOM.js b/scripts/generateAndCheckSBOM.js index 2f9170608..ea807d866 100755 --- a/scripts/generateAndCheckSBOM.js +++ b/scripts/generateAndCheckSBOM.js @@ -50,6 +50,8 @@ const licenseWhiteList = [ 'https://opensource.org/licenses/MIT' ]; +const coreLicensesWhiteList = licenseWhiteList.toSpliced(licenseWhiteList.indexOf(VAADIN_LICENSE),1); + const cveWhiteList = { 'pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.4' : { cves: ['CVE-2023-35116'], @@ -389,22 +391,16 @@ function sumarizeOWASP(f, summary) { return summary; } -function checkLicenses(licenses) { +function checkLicenses(licenses, whiteList) { let ret = ""; Object.keys(licenses).forEach(lic => { - if (licenseWhiteList.indexOf(lic) < 0) { + if (whiteList.indexOf(lic) < 0) { ret += ` - Invalid license '${lic}' in: ${licenses[lic].join(' and ')}\n`; } }); return ret; } -function checkCoreLicenses(){ - let ret=""; - console.log("Starting license check for Vaadin Core."); - return ret; -} - function checkVunerabilities(vuls) { let err = "", msg = ""; Object.keys(vuls).forEach(v => { @@ -552,9 +548,9 @@ async function main() { if(cmd.checkCoreLicenses){ log(`generating Core SBOM`); - await run('mvn -ntp -B org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -q -f ../vaadin-core-sbom'); - coreLicenses = sumarizeLicenses('../vaadin-core-sbom/target/bom.json'); - coreLicensesResult = checkLicenses(coreLicenses); + await run('mvn -ntp -B org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -q -f ' + coreProject); + coreLicenses = sumarizeLicenses(coreProject+'/target/bom.json'); + coreLicensesResult = checkLicenses(coreLicenses, coreLicensesWhiteList); } if (!cmd.quick) { @@ -610,7 +606,7 @@ async function main() { - const errLic = checkLicenses(licenses); + const errLic = checkLicenses(licenses, licenseWhiteList); const errVul = checkVunerabilities(vulnerabilities).err; const msgVul = checkVunerabilities(vulnerabilities).msg; let md = ""; @@ -642,6 +638,7 @@ async function main() { if (coreLicensesResult) { md += `\n### 🚫 Found Core License Issues\n`; html += `\n

>🚫 Found Core License Issues

\n`; + errMsg += `- 📔 Found Core License Issues:\n` + coreLicensesResult+`\n`; md += reportLicenses(coreLicenses).md; html += reportLicenses(coreLicenses).html; } else { diff --git a/vaadin-core-sbom/pom.xml b/vaadin-core-sbom/pom.xml index ebe2ca3ad..b62c49399 100644 --- a/vaadin-core-sbom/pom.xml +++ b/vaadin-core-sbom/pom.xml @@ -5,7 +5,7 @@ com.vaadin vaadin-platform-parent - 24.5.3 + 24.6-SNAPSHOT vaadin-core-sbom jar