add CycloneDxAggregateEnforceMojo

Signed-off-by: XenoAmess <xenoamess@gmail.com>

Author: XenoAmess

pom.xml

@@ -171,6 +171,17 @@
             <scope>test</scope>
             <version>3.0.0</version>
         </dependency>
+        <dependency>
+            <groupId>org.spdx</groupId>
+            <artifactId>java-spdx-library</artifactId>
+            <version>1.0.10</version>
+        </dependency>
+        <dependency>
+            <groupId>org.jetbrains</groupId>
+            <artifactId>annotations</artifactId>
+            <scope>provided</scope>
+            <version>23.0.0</version>
+        </dependency>
     </dependencies>
 
     <prerequisites>

src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java

@@ -93,6 +93,7 @@
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import org.apache.commons.io.input.BOMInputStream;
+import org.jetbrains.annotations.NotNull;
 
 import static org.apache.maven.artifact.Artifact.SCOPE_COMPILE;
 
@@ -170,6 +171,21 @@ public abstract class BaseCycloneDxMojo extends AbstractMojo implements Contextu
     @Parameter(property = "cyclonedx.verbose", defaultValue = "true", required = false)
     private boolean verbose = true;
 
+    @Parameter(property = "enforceExcludeArtifactId", required = false)
+    protected String[] enforceExcludeArtifactId;
+
+    @Parameter(property = "enforceComponentsSameVersion", defaultValue = "true", required = false)
+    protected boolean enforceComponentsSameVersion = true;
+
+    @Parameter(property = "enforceLicensesBlackList", required = false)
+    protected String[] enforceLicensesBlackList;
+
+    @Parameter(property = "enforceLicensesWhiteList", required = false)
+    protected String[] enforceLicensesWhiteList;
+
+    @Parameter(property = "mergeBomFile", required = false)
+    protected File mergeBomFile;
+
     /**
      * Various messages sent to console.
      */
@@ -764,7 +780,7 @@ private MavenProject readPom(InputStream in) {
     protected void execute(Set<Component> components, Set<Dependency> dependencies, MavenProject mavenProject) throws MojoExecutionException {
         try {
             getLog().info(MESSAGE_CREATING_BOM);
-            final Bom bom = new Bom();
+            Bom bom = new Bom();
             if (schemaVersion().getVersion() >= 1.1 && includeBomSerialNumber) {
                 bom.setSerialNumber("urn:uuid:" + UUID.randomUUID());
             }
@@ -794,13 +810,48 @@ protected void execute(Set<Component> components, Set<Dependency> dependencies,
                 return;
             }
 
+            bom = postProcessingBom(bom);
+
             createBom(bom, mavenProject);
 
-        } catch (GeneratorException | ParserConfigurationException | IOException e) {
+        } catch (Exception e) {
             throw new MojoExecutionException("An error occurred executing " + this.getClass().getName() + ": " + e.getMessage(), e);
         }
     }
 
+    @NotNull
+    protected Bom postProcessingBom(@NotNull Bom bom) throws Exception {
+        if (mergeBomFile != null) {
+            Bom mergeBom;
+            try {
+                mergeBom = new JsonParser().parse(mergeBomFile);
+            } catch (Exception e) {
+                mergeBom = new XmlParser().parse(mergeBomFile);
+            }
+            {
+                LinkedHashSet<Component> components = new LinkedHashSet<>();
+                if (mergeBom.getComponents() != null) {
+                    components.addAll(mergeBom.getComponents());
+                }
+                if (bom.getComponents() != null) {
+                    components.addAll(bom.getComponents());
+                }
+                bom.setComponents(new ArrayList<>(components));
+            }
+            {
+                LinkedHashSet<Dependency> dependencies = new LinkedHashSet<>();
+                if (mergeBom.getDependencies() != null) {
+                    dependencies.addAll(mergeBom.getDependencies());
+                }
+                if (bom.getDependencies() != null) {
+                    dependencies.addAll(bom.getDependencies());
+                }
+                bom.setDependencies(new ArrayList<>(dependencies));
+            }
+        }
+        return bom;
+    }
+
     private void createBom(Bom bom, MavenProject mavenProject) throws ParserConfigurationException, IOException, GeneratorException,
             MojoExecutionException {
         if (outputFormat.trim().equalsIgnoreCase("all") || outputFormat.trim().equalsIgnoreCase("xml")) {

src/main/java/org/cyclonedx/maven/CycloneDxAggregateEnforceMojo.java

@@ -0,0 +1,206 @@
+/*
+ * This file is part of CycloneDX Maven Plugin.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.cyclonedx.maven;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.tuple.Pair;
+import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.LifecyclePhase;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.plugins.annotations.ResolutionScope;
+import org.cyclonedx.maven.utils.SpdxLicenseUtil;
+import org.cyclonedx.model.Bom;
+import org.cyclonedx.model.Component;
+import org.cyclonedx.model.License;
+import org.cyclonedx.model.LicenseChoice;
+import org.jetbrains.annotations.NotNull;
+import org.spdx.library.InvalidSPDXAnalysisException;
+import org.spdx.library.model.license.AnyLicenseInfo;
+import org.spdx.library.model.license.LicenseInfoFactory;
+
+@Mojo(
+        name = "enforceAggregateBom",
+        defaultPhase = LifecyclePhase.PACKAGE,
+        aggregator = true,
+        requiresOnline = true,
+        requiresDependencyCollection = ResolutionScope.TEST,
+        requiresDependencyResolution = ResolutionScope.TEST
+)
+public class CycloneDxAggregateEnforceMojo extends CycloneDxAggregateMojo {
+
+    @Override
+    protected boolean shouldExclude(@NotNull String mavenProjectArtifactId) {
+        if (super.shouldExclude(mavenProjectArtifactId)) {
+            return true;
+        }
+        if (enforceExcludeArtifactId != null && enforceExcludeArtifactId.length > 0) {
+            if (Arrays.asList(enforceExcludeArtifactId).contains(mavenProjectArtifactId)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    @Override
+    @NotNull
+    protected Bom postProcessingBom(@NotNull Bom bom) throws Exception {
+        bom = super.postProcessingBom(bom);
+        doEnforceComponentsSameVersion(bom);
+        doEnforceLicensesBlackListAndWhiteList(bom);
+        return bom;
+    }
+
+    private void doEnforceComponentsSameVersion(@NotNull Bom bom) throws MojoFailureException {
+        if (this.enforceComponentsSameVersion) {
+            List<Component> components = bom.getComponents();
+            if (components != null) {
+                Map<Pair<String, String>, Set<String>> componentMap =
+                        new HashMap<>((int) Math.ceil(components.size() / 0.75));
+                for (Component component : components) {
+                    if (component == null) {
+                        continue;
+                    }
+                    String group = component.getGroup();
+                    String name = component.getName();
+                    String version = component.getVersion();
+                    Pair<String, String> key = Pair.of(group, name);
+                    Set<String> versions = componentMap.computeIfAbsent(
+                            key,
+                            stringStringPair -> new HashSet<>()
+                    );
+                    versions.add(version);
+                }
+                StringBuilder stringBuilder = new StringBuilder();
+                for (Map.Entry<Pair<String, String>, Set<String>> entry : componentMap.entrySet()) {
+                    Pair<String, String> key = entry.getKey();
+                    Set<String> versions = entry.getValue();
+                    if (versions.size() > 1) {
+                        stringBuilder
+                                .append("[ERROR]Duplicated versions for ")
+                                .append(key.getLeft())
+                                .append(":")
+                                .append(key.getRight())
+                                .append(" , versions : ")
+                                .append(StringUtils.join(versions.iterator(), ","))
+                                .append("\n");
+                    }
+                }
+                if (stringBuilder.length() > 0) {
+                    throw new MojoFailureException(stringBuilder.toString());
+                }
+            }
+        }
+    }
+
+    private void doEnforceLicensesBlackListAndWhiteList(@NotNull Bom bom) throws MojoFailureException {
+        List<Component> components = bom.getComponents();
+        if (components != null) {
+            StringBuilder stringBuilder = new StringBuilder();
+            for (Component component : components) {
+                if (component == null) {
+                    continue;
+                }
+                String group = component.getGroup();
+                String name = component.getName();
+                LicenseChoice licenseChoice = component.getLicenseChoice();
+                if (licenseChoice == null) {
+                    continue;
+                }
+                if (StringUtils.isNotBlank(licenseChoice.getExpression())) {
+                    try {
+                        AnyLicenseInfo anyLicenseInfo = LicenseInfoFactory.parseSPDXLicenseString(licenseChoice.getExpression());
+                        if (!ArrayUtils.isEmpty(this.enforceLicensesBlackList)) {
+                            if (!SpdxLicenseUtil.isLicensePassBlackList(anyLicenseInfo, this.enforceLicensesBlackList)) {
+                                stringBuilder
+                                        .append("[ERROR]License in blackList for ")
+                                        .append(group)
+                                        .append(":")
+                                        .append(name)
+                                        .append(" , license : ")
+                                        .append(licenseChoice.getExpression())
+                                        .append("\n");
+                            }
+                        }
+                        if (!ArrayUtils.isEmpty(this.enforceLicensesWhiteList)) {
+                            if (!SpdxLicenseUtil.isLicensePassWhiteList(anyLicenseInfo, this.enforceLicensesWhiteList)) {
+                                stringBuilder
+                                        .append("[ERROR]License not in whiteList for ")
+                                        .append(group)
+                                        .append(":")
+                                        .append(name)
+                                        .append(" , license : ")
+                                        .append(licenseChoice.getExpression())
+                                        .append("\n");
+                            }
+                        }
+                    } catch (InvalidSPDXAnalysisException e) {
+                        getLog().warn(e);
+                    }
+                } else if (licenseChoice.getLicenses() != null) {
+                    for (License license : licenseChoice.getLicenses()) {
+                        if (!ArrayUtils.isEmpty(this.enforceLicensesBlackList)) {
+                            if (
+                                    ArrayUtils.contains(this.enforceLicensesBlackList, license.getId())
+                                            || ArrayUtils.contains(this.enforceLicensesBlackList, license.getName())
+                            ) {
+                                stringBuilder
+                                        .append("[ERROR]License in blackList for ")
+                                        .append(group)
+                                        .append(":")
+                                        .append(name)
+                                        .append(" , license : ")
+                                        .append(license.getId())
+                                        .append("\n");
+                            }
+                        }
+                        if (!ArrayUtils.isEmpty(this.enforceLicensesWhiteList)) {
+                            if (
+                                    !(
+                                            ArrayUtils.contains(this.enforceLicensesBlackList, license.getId())
+                                                    || ArrayUtils.contains(this.enforceLicensesBlackList, license.getName())
+                                    )
+                            ) {
+                                stringBuilder
+                                        .append("[ERROR]License not in whiteList for ")
+                                        .append(group)
+                                        .append(":")
+                                        .append(name)
+                                        .append(" , license : ")
+                                        .append(license.getId())
+                                        .append("\n");
+                            }
+                        }
+                    }
+                }
+            }
+            if (stringBuilder.length() > 0) {
+                throw new MojoFailureException(stringBuilder.toString());
+            }
+        }
+    }
+
+}

src/main/java/org/cyclonedx/maven/CycloneDxAggregateMojo.java

@@ -20,14 +20,14 @@
 
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.plugin.MojoExecutionException;
-import org.apache.maven.plugins.annotations.Execute;
 import org.apache.maven.plugins.annotations.LifecyclePhase;
 import org.apache.maven.plugins.annotations.Mojo;
 import org.apache.maven.plugins.annotations.ResolutionScope;
 import org.apache.maven.project.MavenProject;
 import org.apache.maven.shared.dependency.analyzer.ProjectDependencyAnalysis;
 import org.cyclonedx.model.Component;
 import org.cyclonedx.model.Dependency;
+import org.jetbrains.annotations.NotNull;
 
 import java.util.Arrays;
 import java.util.LinkedHashMap;
@@ -45,17 +45,20 @@
 )
 public class CycloneDxAggregateMojo extends BaseCycloneDxMojo {
 
-    protected boolean shouldExclude(MavenProject mavenProject) {
-        boolean shouldExclude = false;
+    protected boolean shouldExclude(@NotNull MavenProject mavenProject) {
+        return this.shouldExclude(mavenProject.getArtifactId());
+    }
+
+    protected boolean shouldExclude(@NotNull String mavenProjectArtifactId) {
         if (excludeArtifactId != null && excludeArtifactId.length > 0) {
-            shouldExclude = Arrays.asList(excludeArtifactId).contains(mavenProject.getArtifactId());
-        }
-        if (excludeTestProject && mavenProject.getArtifactId().contains("test")) {
-            shouldExclude = true;
+            if (Arrays.asList(excludeArtifactId).contains(mavenProjectArtifactId)) {
+                return true;
+            }
         }
-        return shouldExclude;
+        return excludeTestProject && mavenProjectArtifactId.contains("test");
     }
 
+    @Override
     public void execute() throws MojoExecutionException {
         final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("cyclonedx.skip", Boolean.toString(getSkip())));
         if (shouldSkip) {