feat: [CMPA-604] Add distribution:url label to nodes on DepGraph when includeComponentMetadata#224
Open
calhar-snyk wants to merge 4 commits into
Open
feat: [CMPA-604] Add distribution:url label to nodes on DepGraph when includeComponentMetadata#224calhar-snyk wants to merge 4 commits into
distribution:url label to nodes on DepGraph when includeComponentMetadata#224calhar-snyk wants to merge 4 commits into
Conversation
Three correctness fixes for the distribution:url label feature: - Gate the distribution:url path on includeComponentMetadata and drop the separate includeDistribution option. The feature is part of includeComponentMetadata, not its own flag; as written the path was gated on includeDistribution while repositoryPath was only resolved under includeComponentMetadata, so it could never run. - Run dependency:list-repositories via subProcess.execute with the Maven working directory and --file targeting, mirroring the dependency-tree pipeline. Previously it ran with no cwd/--file, so off-cwd or monorepo-subdir poms resolved a different project's repositories (or none). - Pass --batch-mode so CI/non-tty Maven output isn't decorated with colour codes or download-progress lines that break repo-line parsing.
…604] Cleanups for the includeComponentMetadata label passes: - Extract collectM2Nodes + buildLabelMap into lib/parse/m2-batch.ts, a single bounded-concurrency batch loop. The hash-label and distribution-url passes were near-verbatim copies of the node-id union + slice/Promise.all/store-non-empty loop; now there is one. - Resolve the node set and each node's artifact path once and share it across both passes, instead of rebuilding the node Set and recomputing dependencyIdToArtifactPath in each. readM2HashLabels and readRemoteRepositoryLabel now take the pre-resolved artifact path. - Run the hash-label reads concurrently with the dependency:list-repositories subprocess rather than strictly after it, so inspect latency is the max of the two rather than their sum.
…PA-604] - Read _remote.repositories through a bounded fs.open prefix read (64 KiB) instead of fs.readFile, mirroring the m2-hash-labels cap. A real file is a handful of short <filename>><repoId>= records, well under 1 KiB; the bound stops a misconfigured mirror that wrote a large HTML error page at this path from being buffered wholesale. - Strip a trailing slash from the repository URL before joining the artifact's relative path, so a settings.xml/mirror URL like '.../maven2/' no longer yields a '.../maven2//com/...' double slash. Adds m2-remote-repositories.spec.ts covering URL construction, the trailing-slash case, unknown repo id, and a missing file.
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
danielroymoore
approved these changes
Jun 26, 2026
distribution:url label to nodes on DepGraph when includeComponentMetadata
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Extends includeComponentMetadata to also emit a distribution:url label on each Maven node, recording the remote URL the artifact was originally resolved from. The URL is built from two sources in the local
~/.m2repository:_remote.repositories(written by Maven next to each installed artifact) — gives the repository id the artifact came from (e.g. central).mvn dependency:list-repositories— maps that repository id to its base URL.The artifact's repo-relative path is appended to the base URL to form the full distribution:url, which flows through to the CycloneDX ExternalReferences (distribution type).
Key behaviours:
.m2artifact path are computed a single time and shared between the hash-label and distribution-url passes (lib/parse/m2-batch.ts).dependency:list-repositoriessubprocess rather than serially.Where should the reviewer start?
lib/parse/m2-remote-repositories.ts(the new parsing/URL logic) and the orchestration inlib/index.ts(inspect, the includeComponentMetadata block).lib/parse/m2-batch.tsis the small shared scaffold both label passes now use.How should this be manually tested?
Against a Maven project whose dependencies are already resolved into
~/.m2(so the_remote.repositoriesfiles exist):Confirm distribution-type references appear with sane URLs. Worth spot-checking:
--file=subdir/pom.xmlfrom a different working dir) — labels should still resolve (thedependency:list-repositoriescall is now scoped with cwd/--file, mirroring the dependency-tree pipeline).--maven-aggregate-project) — repositories are unioned across modules.Direct-plugin alternative:
Then grep for distribution:url.
Automated coverage: npm run test:functional (see tests/jest/functional/m2-remote-repositories.spec.ts and m2-hash-labels.spec.ts).
Any background context you want to provide?
Builds on the existing
includeComponentMetadatahash-label work and reuses the same .m2 access path. Notable correctness fixes folded in during review: the feature is gated solely onincludeComponentMetadata(no separate flag);dependency:list-repositoriesruns with--batch-modeand proper cwd/--filetargeting; the_remote.repositoriesread is byte-bounded (64 KiB) like the sibling hash-labels module; and the repo-URL join is trailing-slash-normalised.What are the relevant tickets?