Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support running the analysis with SBOM and the main software component with no repository #165

Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
chore: allow the main analysis to continue if there is no repository …
…for the main software component but an SBOM is provided
tromai committed Sep 22, 2023

Unverified

This user has not yet uploaded their public signing key.
commit a64b80552c4041ce09c960e36682393b5778305a
22 changes: 1 addition & 21 deletions src/macaron/dependency_analyzer/dependency_resolver.py
Original file line number Diff line number Diff line change
@@ -268,15 +268,13 @@ def tool_valid(tool: str) -> bool:
return True

@staticmethod
def resolve_dependencies(main_ctx: Any, sbom_path: str) -> dict[str, DependencyInfo]:
def resolve_dependencies(main_ctx: Any) -> dict[str, DependencyInfo]:
"""Resolve the dependencies of the main target repo.

Parameters
----------
main_ctx : Any (AnalyzeContext)
The context of object of the target repository.
sbom_path: str
The path to the SBOM.

Returns
-------
@@ -285,20 +283,6 @@ def resolve_dependencies(main_ctx: Any, sbom_path: str) -> dict[str, DependencyI
"""
deps_resolved: dict[str, DependencyInfo] = {}

if sbom_path:
logger.info("Getting the dependencies from the SBOM defined at %s.", sbom_path)
# Import here to avoid circular dependency
# pylint: disable=import-outside-toplevel, cyclic-import
from macaron.dependency_analyzer.cyclonedx import get_deps_from_sbom

deps_resolved = get_deps_from_sbom(sbom_path)

# Use repo finder to find more repositories to analyze.
if defaults.getboolean("repofinder", "find_repos"):
DependencyAnalyzer._resolve_more_dependencies(deps_resolved)

return deps_resolved

build_tools = main_ctx.dynamic_data["build_spec"]["tools"]
if not build_tools:
logger.info("Unable to find any valid build tools.")
@@ -367,10 +351,6 @@ def resolve_dependencies(main_ctx: Any, sbom_path: str) -> dict[str, DependencyI

logger.info("Stored dependency resolver log for %s to %s.", dep_analyzer.tool_name, log_path)

# Use repo finder to find more repositories to analyze.
if defaults.getboolean("repofinder", "find_repos"):
DependencyAnalyzer._resolve_more_dependencies(deps_resolved)

return deps_resolved

@staticmethod
2 changes: 1 addition & 1 deletion src/macaron/output_reporter/templates/macaron.html
Original file line number Diff line number Diff line change
@@ -206,7 +206,7 @@

<button class="fancy-button" onclick="expandAll()">Expand All</button>
<button class="fancy-button" onclick="collapseAll()">Collapse All</button>
{{ macaron_macros.render_tree_view_nested_list(target.provenances.content) | indent(4) }}
{{ render_tree_view_nested_list(target.provenances.content) | indent(4) }}

<div class='space_divider'></div>

11 changes: 10 additions & 1 deletion src/macaron/slsa_analyzer/analyzer.py
Original file line number Diff line number Diff line change
@@ -17,11 +17,13 @@
from sqlalchemy.orm import Session

from macaron import __version__
from macaron.config.defaults import defaults
from macaron.config.global_config import global_config
from macaron.config.target_config import Configuration
from macaron.database.database_manager import DatabaseManager, get_db_manager, get_db_session
from macaron.database.table_definitions import Analysis, Component, Repository
from macaron.dependency_analyzer import DependencyAnalyzer, DependencyInfo
from macaron.dependency_analyzer.cyclonedx import get_deps_from_sbom
from macaron.errors import CloneError, DuplicateError, InvalidPURLError, PURLNotFoundError, RepoCheckOutError
from macaron.output_reporter.reporter import FileReporter
from macaron.output_reporter.results import Record, Report, SCMStatus
@@ -155,8 +157,15 @@ def run(self, user_config: dict, sbom_path: str = "", skip_deps: bool = False) -
# Run the chosen dependency analyzer plugin.
if skip_deps:
logger.info("Skipping automatic dependency analysis...")
elif sbom_path:
logger.info("Getting the dependencies from the SBOM defined at %s.", sbom_path)
deps_resolved = get_deps_from_sbom(sbom_path)
else:
deps_resolved = DependencyAnalyzer.resolve_dependencies(main_record.context, sbom_path)
deps_resolved = DependencyAnalyzer.resolve_dependencies(main_record.context)

# Use repo finder to find more repositories to analyze.
if defaults.getboolean("repofinder", "find_repos"):
DependencyAnalyzer._resolve_more_dependencies(deps_resolved)

# Merge the automatically resolved dependencies with the manual configuration.
deps_config = DependencyAnalyzer.merge_configs(deps_config, deps_resolved)