feat: obtain Java and Python artifacts from .m2 or Python virtual environment from input

[tromai]

Closes #811

Description

This pull request adds the following features:

• The ability to provide Macaron with a maven local repository
• The ability to resolve the directories that contains artifacts corresponding to a PackageURL from the Maven local repository and/or the Python virtual environment.

Providing a Maven local repository.

A new CLI parameter is added --local-maven-repo that takes a path to a maven local repo. This flag is optional.
If --local-maven-repo is not used, Macaron will load the path to the local maven repo (at $HOME/.m2) if that directory is available.
Macaron will treat this maven local repo as READ-ONLY.

What directory to mount if Macaron is being run as a Docker container?

If --local-maven-repo is provided to run_macaron.sh, the directory provided with this flag is mount to ${MACARON_WORKSPACE}/analyze_local_maven_repo_readonly.

If --local-maven-repo is NOT provided to run_macaron.sh, run_macaron.sh default behavior is consistent with Macaron running as a package, regarding loading the default location $HOME/.m2 of the host:

• If $HOME/.m2/ of the host is not available, an empty directory is created within the output dir and mounted as read only to ${MACARON_WORKSPACE}/analyze_local_maven_repo_readonly. Then Macaron running within the Docker container will be provided with this empty directory as --local-maven-repo. We do so to avoid Macaron loading $HOME/.m2 as maven local repo inside the container, as $HOME/.m2 inside the container is being used by the cyclone-dx SBOM generator.
• If $HOME/.m2/ of the host is available, it will be mounted to ${MACARON_WORKSPACE}/analyze_local_maven_repo_readonly.

Providing Python virtual environment as input

This has been implemented in #748.

Resolving artifacts from local repositories for a PackageURL

This is a high-level diagram of finding local artifacts for a PURL

graph LR
purl[Input - PackageURL] -->patt_gen{1 - Generating glob patterns} -->patts(artifact dir glob patterns)

lrps[Input - Local repository path]

patts -->fa{2 - Find artifact dis from local repo path}
lrps -->fa

fa -->result(Output - list of artifact directories existed within the local repo path.)

Loading

Generating glob patterns

From a PackageURL, we can directly obtain the glob patterns representing the location of artifact dirs in a local repo. These glob patterns will be different between a maven PURL and a PYPI PURL.

Glob patterns matching on the repo path corresponding to the input PURL's type.

In Macaron (the main's Analyzer instance), we will store mappings between a PURL type (e.g maven) to its corresponding local repo path (if provided by the user). Right now, we only have maximum 2 entries:

• maven maps to the maven local repo path
• pypi maps to the python virtual env path

If the user doesn't provide a local repo path, there will be no entry for it in these mappings.

Using the input PURL's type, we will find the corresponding local repo path from this mapping.
Then we use the glob patterns obtained earlier to look for artifacts within this path. We don't raise error if we cannot find any artifact dir that matches any of the glob patterns.

Storing the discovered artifacts paths

They will be stored in the analyze context instance's dynamic_data object as a list of string.

Tasks

• Add --local-maven-repo as CLI option.
• Handle mounting .m2 depending on user provided --local-maven-repo into the container.
• Add integration tests for invalid usages of --local-maven-repo
• Add unit tests for run_macaron.sh adding --local-maven-repo behavior
• Fix and issue with dumps-defaults command not being handled in run_macaron.sh
• Obtain directories and files corresponding to a Python software component from virtual environment.
  • Add unit tests.
• Obtain directories and files corresponding to a Java software component from the cached .m2.
  • Add unit tests.
• Add tutorial - will be worked on later - Create a tutorial for using the local maven repo #936