chore: revert the changes in DependencyAnalyzer.resolve_dependencies

These changes were to separate the resolving dependencies using SBOM generator and resolving dependencies from SBOM files. These changes were necessary for this PR back when I first work on it (before the merging of #388). However, after #388 is merged and further discussion, this change is no longer necessary. Signed-off-by: Trong Nhan Mai <[email protected]>
oracle · Sep 23, 2023 · ebc9696 · ebc9696
1 parent f190924
commit ebc9696
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 11 deletions.
diff --git a/src/macaron/dependency_analyzer/dependency_resolver.py b/src/macaron/dependency_analyzer/dependency_resolver.py
@@ -268,13 +268,15 @@ def tool_valid(tool: str) -> bool:
         return True
 
     @staticmethod
-    def resolve_dependencies(main_ctx: Any) -> dict[str, DependencyInfo]:
+    def resolve_dependencies(main_ctx: Any, sbom_path: str) -> dict[str, DependencyInfo]:
         """Resolve the dependencies of the main target repo.
 
         Parameters
         ----------
         main_ctx : Any (AnalyzeContext)
             The context of object of the target repository.
+        sbom_path: str
+            The path to the SBOM.
 
         Returns
         -------
@@ -283,6 +285,20 @@ def resolve_dependencies(main_ctx: Any) -> dict[str, DependencyInfo]:
         """
         deps_resolved: dict[str, DependencyInfo] = {}
 
+        if sbom_path:
+            logger.info("Getting the dependencies from the SBOM defined at %s.", sbom_path)
+            # Import here to avoid circular dependency
+            # pylint: disable=import-outside-toplevel, cyclic-import
+            from macaron.dependency_analyzer.cyclonedx import get_deps_from_sbom
+
+            deps_resolved = get_deps_from_sbom(sbom_path)
+
+            # Use repo finder to find more repositories to analyze.
+            if defaults.getboolean("repofinder", "find_repos"):
+                DependencyAnalyzer._resolve_more_dependencies(deps_resolved)
+
+            return deps_resolved
+
         build_tools = main_ctx.dynamic_data["build_spec"]["tools"]
         if not build_tools:
             logger.info("Unable to find any valid build tools.")
@@ -351,6 +367,10 @@ def resolve_dependencies(main_ctx: Any) -> dict[str, DependencyInfo]:
 
             logger.info("Stored dependency resolver log for %s to %s.", dep_analyzer.tool_name, log_path)
 
+        # Use repo finder to find more repositories to analyze.
+        if defaults.getboolean("repofinder", "find_repos"):
+            DependencyAnalyzer._resolve_more_dependencies(deps_resolved)
+
         return deps_resolved
 
     @staticmethod

diff --git a/src/macaron/slsa_analyzer/analyzer.py b/src/macaron/slsa_analyzer/analyzer.py
@@ -17,13 +17,11 @@
 from sqlalchemy.orm import Session
 
 from macaron import __version__
-from macaron.config.defaults import defaults
 from macaron.config.global_config import global_config
 from macaron.config.target_config import Configuration
 from macaron.database.database_manager import DatabaseManager, get_db_manager, get_db_session
 from macaron.database.table_definitions import Analysis, Component, Repository
 from macaron.dependency_analyzer import DependencyAnalyzer, DependencyInfo
-from macaron.dependency_analyzer.cyclonedx import get_deps_from_sbom
 from macaron.errors import CloneError, DuplicateError, InvalidPURLError, PURLNotFoundError, RepoCheckOutError
 from macaron.output_reporter.reporter import FileReporter
 from macaron.output_reporter.results import Record, Report, SCMStatus
@@ -157,15 +155,8 @@ def run(self, user_config: dict, sbom_path: str = "", skip_deps: bool = False) -
                 # Run the chosen dependency analyzer plugin.
                 if skip_deps:
                     logger.info("Skipping automatic dependency analysis...")
-                elif sbom_path:
-                    logger.info("Getting the dependencies from the SBOM defined at %s.", sbom_path)
-                    deps_resolved = get_deps_from_sbom(sbom_path)
                 else:
-                    deps_resolved = DependencyAnalyzer.resolve_dependencies(main_record.context)
-
-                # Use repo finder to find more repositories to analyze.
-                if defaults.getboolean("repofinder", "find_repos"):
-                    DependencyAnalyzer._resolve_more_dependencies(deps_resolved)
+                    deps_resolved = DependencyAnalyzer.resolve_dependencies(main_record.context, sbom_path)
 
                 # Merge the automatically resolved dependencies with the manual configuration.
                 deps_config = DependencyAnalyzer.merge_configs(deps_config, deps_resolved)