Application CycloneDX tests

Author: aloubyansky

integration-tests/maven/pom.xml

@@ -125,6 +125,23 @@
             <artifactId>quarkus-opentelemetry-deployment</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-cyclonedx-deployment</artifactId>
+            <scope>test</scope>
+            <version>${project.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.cyclonedx</groupId>
+            <artifactId>cyclonedx-core-java</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-project-core-extension-codestarts</artifactId>

integration-tests/maven/src/test/java/io/quarkus/maven/it/CycloneDxIT.java

@@ -0,0 +1,102 @@
+package io.quarkus.maven.it;
+
+import static io.quarkus.maven.it.CycloneDxTestUtils.*;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.File;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import org.cyclonedx.model.Bom;
+import org.cyclonedx.model.Component;
+import org.junit.jupiter.api.Test;
+
+import io.quarkus.maven.it.verifier.MavenProcessInvocationResult;
+import io.quarkus.maven.it.verifier.RunningInvoker;
+
+@DisableForNative
+public class CycloneDxIT extends MojoTestBase {
+
+    private RunningInvoker running;
+    private File testDir;
+
+    @Test
+    public void testFastJar() throws Exception {
+        testDir = initProject("projects/cyclonedx-sbom", "projects/cyclonedx-sbom-fast-jar");
+        running = new RunningInvoker(testDir, false);
+        final MavenProcessInvocationResult result = running.execute(
+                List.of("package", "-DskipTests"),
+                Map.of());
+        assertThat(result.getProcess().waitFor()).isEqualTo(0);
+
+        final Bom bom = parseSbom(testDir, "quarkus-run-cyclonedx.json");
+        assertRunnerMainComponent(bom);
+
+        final List<Component> components = bom.getComponents();
+        assertThat(components).isNotEmpty();
+        assertComponent(components, "io.quarkus", "quarkus-rest", "runtime", "lib/main/");
+        assertComponent(components, "io.quarkus", "quarkus-rest-deployment", "development", null);
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx", "runtime", "lib/main/");
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx-deployment", "development", null);
+    }
+
+    @Test
+    public void testUberJar() throws Exception {
+        testDir = initProject("projects/cyclonedx-sbom", "projects/cyclonedx-sbom-uber-jar");
+        running = new RunningInvoker(testDir, false);
+
+        Properties p = new Properties();
+        p.setProperty("quarkus.package.jar.type", "uber-jar");
+
+        final MavenProcessInvocationResult result = running.execute(
+                List.of("package", "-DskipTests"),
+                Map.of(), p);
+        assertThat(result.getProcess().waitFor()).isEqualTo(0);
+
+        final Bom bom = parseSbom(testDir, "acme-app-1.0-SNAPSHOT-runner-cyclonedx.json");
+
+        final Component mainComponent = bom.getMetadata().getComponent();
+        assertThat(mainComponent).isNotNull();
+        assertThat(mainComponent.getGroup()).isEqualTo("org.acme");
+        assertThat(mainComponent.getName()).isEqualTo("acme-app");
+        assertThat(mainComponent.getVersion()).isEqualTo("1.0-SNAPSHOT");
+        assertThat(mainComponent.getType()).isEqualTo(Component.Type.APPLICATION);
+        assertThat(mainComponent.getPurl()).isEqualTo(
+                "pkg:maven/org.acme/acme-app@1.0-SNAPSHOT?classifier=runner&type=jar");
+        assertComponentScope(mainComponent, "runtime");
+
+        // uber-jar components have no evidence location
+        final List<Component> components = bom.getComponents();
+        assertThat(components).isNotEmpty();
+        assertComponent(components, "io.quarkus", "quarkus-rest", "runtime", null);
+        assertComponent(components, "io.quarkus", "quarkus-rest-deployment", "development", null);
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx", "runtime", null);
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx-deployment", "development", null);
+    }
+
+    @Test
+    public void testMutableJar() throws Exception {
+        testDir = initProject("projects/cyclonedx-sbom", "projects/cyclonedx-sbom-mutable-jar");
+        running = new RunningInvoker(testDir, false);
+
+        Properties p = new Properties();
+        p.setProperty("quarkus.package.jar.type", "mutable-jar");
+
+        final MavenProcessInvocationResult result = running.execute(
+                List.of("package", "-DskipTests"),
+                Map.of(), p);
+        assertThat(result.getProcess().waitFor()).isEqualTo(0);
+
+        final Bom bom = parseSbom(testDir, "quarkus-run-cyclonedx.json");
+        assertRunnerMainComponent(bom);
+
+        // mutable-jar includes deployment jars, so both runtime and development have locations
+        final List<Component> components = bom.getComponents();
+        assertThat(components).isNotEmpty();
+        assertComponent(components, "io.quarkus", "quarkus-rest", "runtime", "lib/main/");
+        assertComponent(components, "io.quarkus", "quarkus-rest-deployment", "development", "lib/deployment/");
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx", "runtime", "lib/main/");
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx-deployment", "development", "lib/deployment/");
+    }
+}

integration-tests/maven/src/test/java/io/quarkus/maven/it/CycloneDxNativeIT.java

@@ -0,0 +1,59 @@
+package io.quarkus.maven.it;
+
+import static io.quarkus.maven.it.CycloneDxTestUtils.*;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.awaitility.Awaitility.await;
+
+import java.io.File;
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import org.cyclonedx.model.Bom;
+import org.cyclonedx.model.Component;
+import org.junit.jupiter.api.Assumptions;
+import org.junit.jupiter.api.Test;
+
+import io.quarkus.maven.it.verifier.MavenProcessInvocationResult;
+import io.quarkus.maven.it.verifier.RunningInvoker;
+
+@EnableForNative
+public class CycloneDxNativeIT extends MojoTestBase {
+
+    @Test
+    public void testNativeImage() throws Exception {
+        final File testDir = initProject("projects/cyclonedx-sbom", "projects/cyclonedx-sbom-native");
+        final RunningInvoker running = new RunningInvoker(testDir, false);
+
+        final List<String> mvnArgs = TestUtils.nativeArguments("package", "-DskipTests", "-Dnative");
+        final MavenProcessInvocationResult result = running.execute(mvnArgs, Collections.emptyMap());
+        await().atMost(10, TimeUnit.MINUTES).until(() -> result.getProcess() != null && !result.getProcess().isAlive());
+        final String processLog = running.log();
+        try {
+            assertThat(processLog).containsIgnoringCase("BUILD SUCCESS");
+        } catch (AssertionError ae) {
+            Assumptions.assumeFalse(processLog.contains("Cannot find the `native-image"),
+                    "Skipping test since native-image tool isn't available");
+            throw ae;
+        } finally {
+            running.stop();
+        }
+
+        final Bom bom = parseSbom(testDir, "acme-app-1.0-SNAPSHOT-runner-cyclonedx.json");
+
+        // native image main component is a generic file component (no Maven coords)
+        final Component mainComponent = bom.getMetadata().getComponent();
+        assertThat(mainComponent).isNotNull();
+        assertThat(mainComponent.getName()).isEqualTo("acme-app-1.0-SNAPSHOT-runner");
+        assertThat(mainComponent.getVersion()).isEqualTo("1.0-SNAPSHOT");
+        assertThat(mainComponent.getType()).isEqualTo(Component.Type.APPLICATION);
+        assertThat(mainComponent.getPurl()).isEqualTo("pkg:generic/acme-app-1.0-SNAPSHOT-runner@1.0-SNAPSHOT");
+
+        final List<Component> components = bom.getComponents();
+        assertThat(components).isNotEmpty();
+        assertComponent(components, "io.quarkus", "quarkus-rest", "runtime", null);
+        assertComponent(components, "io.quarkus", "quarkus-rest-deployment", "development", null);
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx", "runtime", null);
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx-deployment", "development", null);
+    }
+}

integration-tests/maven/src/test/java/io/quarkus/maven/it/CycloneDxTestUtils.java

@@ -0,0 +1,94 @@
+package io.quarkus.maven.it;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.File;
+import java.util.List;
+
+import org.cyclonedx.model.Bom;
+import org.cyclonedx.model.Component;
+import org.cyclonedx.model.Property;
+import org.cyclonedx.model.component.evidence.Occurrence;
+import org.cyclonedx.parsers.JsonParser;
+
+final class CycloneDxTestUtils {
+
+    private CycloneDxTestUtils() {
+    }
+
+    static Bom parseSbom(File testDir, String sbomFileName) throws Exception {
+        final File sbomFile = new File(testDir, "target/" + sbomFileName);
+        assertThat(sbomFile).exists();
+        return new JsonParser().parse(sbomFile);
+    }
+
+    /**
+     * Asserts that the main component is the quarkus-run.jar runner
+     * (used by fast-jar and mutable-jar packaging).
+     */
+    static void assertRunnerMainComponent(Bom bom) {
+        final Component mainComponent = bom.getMetadata().getComponent();
+        assertThat(mainComponent).isNotNull();
+        assertThat(mainComponent.getName()).isEqualTo("quarkus-run.jar");
+        assertThat(mainComponent.getVersion()).isEqualTo("1.0-SNAPSHOT");
+        assertThat(mainComponent.getType()).isEqualTo(Component.Type.APPLICATION);
+        assertThat(mainComponent.getPurl()).isEqualTo("pkg:generic/quarkus-run.jar@1.0-SNAPSHOT");
+        assertComponentScope(mainComponent, "runtime");
+    }
+
+    /**
+     * Asserts that a component with the given group and name exists in the SBOM,
+     * has the expected scope property, and optionally has an evidence location
+     * starting with the given prefix.
+     *
+     * @param components the component list
+     * @param group expected group
+     * @param name expected artifact name
+     * @param expectedScope expected value of the quarkus:component:scope property
+     * @param expectedLocationPrefix if non-null, the component's evidence location must start with this prefix;
+     *        if null, no evidence location is expected
+     */
+    static void assertComponent(List<Component> components, String group, String name,
+            String expectedScope, String expectedLocationPrefix) {
+        final Component component = components.stream()
+                .filter(c -> group.equals(c.getGroup()) && name.equals(c.getName()))
+                .findFirst()
+                .orElse(null);
+        assertThat(component)
+                .as("Expected component %s:%s in SBOM", group, name)
+                .isNotNull();
+        assertComponentScope(component, expectedScope);
+        assertEvidenceLocation(component, expectedLocationPrefix);
+    }
+
+    static void assertComponentScope(Component component, String expectedScope) {
+        final List<Property> properties = component.getProperties();
+        assertThat(properties).isNotNull();
+        final String scope = properties.stream()
+                .filter(p -> "quarkus:component:scope".equals(p.getName()))
+                .map(Property::getValue)
+                .findFirst()
+                .orElse(null);
+        assertThat(scope)
+                .as("quarkus:component:scope of %s:%s", component.getGroup(), component.getName())
+                .isEqualTo(expectedScope);
+    }
+
+    private static void assertEvidenceLocation(Component component, String expectedLocationPrefix) {
+        if (expectedLocationPrefix == null) {
+            if (component.getEvidence() == null || component.getEvidence().getOccurrences() == null) {
+                return;
+            }
+            assertThat(component.getEvidence().getOccurrences())
+                    .as("Evidence locations of %s:%s", component.getGroup(), component.getName())
+                    .isEmpty();
+            return;
+        }
+        assertThat(component.getEvidence()).isNotNull();
+        final List<Occurrence> occurrences = component.getEvidence().getOccurrences();
+        assertThat(occurrences)
+                .as("Evidence locations of %s:%s", component.getGroup(), component.getName())
+                .isNotEmpty();
+        assertThat(occurrences.get(0).getLocation()).startsWith(expectedLocationPrefix);
+    }
+}

integration-tests/maven/src/test/resources-filtered/projects/cyclonedx-sbom/pom.xml

@@ -0,0 +1,69 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.acme</groupId>
+  <artifactId>acme-app</artifactId>
+  <version>1.0-SNAPSHOT</version>
+  <packaging>quarkus</packaging>
+  <properties>
+    <compiler-plugin.version>${compiler-plugin.version}</compiler-plugin.version>
+    <maven.compiler.release>${maven.compiler.release}</maven.compiler.release>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+    <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
+    <quarkus.platform.group-id>io.quarkus</quarkus.platform.group-id>
+    <quarkus.platform.version>${project.version}</quarkus.platform.version>
+  </properties>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>\${quarkus.platform.group-id}</groupId>
+        <artifactId>\${quarkus.platform.artifact-id}</artifactId>
+        <version>\${quarkus.platform.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <dependencies>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-rest</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-cyclonedx</artifactId>
+    </dependency>
+  </dependencies>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>\${quarkus.platform.group-id}</groupId>
+        <artifactId>quarkus-maven-plugin</artifactId>
+        <version>\${quarkus.platform.version}</version>
+        <extensions>true</extensions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>\${compiler-plugin.version}</version>
+        <configuration>
+          <parameters>true</parameters>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+  <profiles>
+    <profile>
+      <id>native</id>
+      <activation>
+        <property>
+          <name>native</name>
+        </property>
+      </activation>
+      <properties>
+        <quarkus.native.enabled>true</quarkus.native.enabled>
+      </properties>
+    </profile>
+  </profiles>
+</project>

integration-tests/maven/src/test/resources-filtered/projects/cyclonedx-sbom/src/main/java/org/acme/GreetingResource.java

@@ -0,0 +1,16 @@
+package org.acme;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+
+@Path("/hello")
+public class GreetingResource {
+
+    @GET
+    @Produces(MediaType.TEXT_PLAIN)
+    public String hello() {
+        return "Hello from Quarkus REST";
+    }
+}