Pipeline for Maven#1953
Open
chinyeungli wants to merge 21 commits into
Open
Conversation
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
- Update format Signed-off-by: Chin Yeung Li <tli@nexb.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Signed-off-by: Chin Yeung Li <tli@nexb.com>
…1763 - Update package's license if missing while the same package has license detected in RESOURCES Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
tdruez
requested changes
Nov 19, 2025
Contributor
tdruez
left a comment
tdruez
left a comment
There was a problem hiding this comment.
- Create a new maven pipe module in place of use resolve
- Opening and loading a large file to make edits multiple times in various steps is not great.
- To be discussed: Do we need a dedicated pipeline for just an extra step? Shouldn't the original
scan_single_packagedetect that it's a Maven package and apply the necessary? Any reason to keep this new logic separated?
Comment on lines
+57
to
+74
| with open(self.scan_output_location) as file: | ||
| data = json.load(file) | ||
| # Return and do nothing if data has pom.xml | ||
| for file in data["files"]: | ||
| if "pom.xml" in file["path"]: | ||
| return | ||
| packages = data.get("packages", []) | ||
|
|
||
| pom_url_list = get_pom_url_list(self.project.input_sources[0], packages) | ||
| pom_file_list = download_pom_files(pom_url_list) | ||
| scanned_pom_packages, scanned_dependencies = scan_pom_files(pom_file_list) | ||
|
|
||
| updated_packages = packages + scanned_pom_packages | ||
| # Replace/Update the package and dependencies section | ||
| data["packages"] = updated_packages | ||
| data["dependencies"] = scanned_dependencies | ||
| with open(self.scan_output_location, "w") as file: | ||
| json.dump(data, file, indent=2) |
Contributor
There was a problem hiding this comment.
Code logic should not be on the pipeline itself but in dedictated and easilly testable pipe functions
| cls.extract_input_to_codebase_directory, | ||
| cls.extract_archives, | ||
| cls.run_scan, | ||
| cls.update_package_license_from_resource_if_missing, |
Contributor
There was a problem hiding this comment.
This may have quite an impact on the default ScanSinglePackage results. We should probably handle this one separatly of the Maven context.
| if not packages or not resources: | ||
| return | ||
|
|
||
| updated_packages = update_package_license_from_resource_if_missing( |
Contributor
There was a problem hiding this comment.
We should use database queries instead of manipulating complex dictionaries.
| return pom_file_list | ||
|
|
||
|
|
||
| def scan_pom_files(pom_file_list): |
Contributor
There was a problem hiding this comment.
This is too complex, it needs to be refactored as smaller functions
| return scanned_pom_packages, scanned_pom_deps | ||
|
|
||
|
|
||
| def update_package_license_from_resource_if_missing(packages, resources): |
Contributor
There was a problem hiding this comment.
This should be query-based.
Signed-off-by: Chin Yeung Li <tli@nexb.com>
- Create a new maven pipe module - Use database queries for update_package_license_from_resource_if_missing() - Add tests Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Contributor
Author
|
@tdruez I’ve updated the code to include support for the "D2D" option. 
The "deploy_to_devel" option is equivalent to the "map_deploy_to_develop" pipeline, which runs on Java, JavaScript, Kotlin, and Scala as these are the languages commonly found in Maven projects. |
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Some projects encountered a unique constraint violation when a resource was already mapped: ``` duplicate key value violates unique constraint "scanpipe_codebaserelation_unique_relation" DETAIL: Key (from_resource_id, to_resource_id, map_type)=(1512780, 1512790, jar_to_source) already exists. ``` Signed-off-by: Chin Yeung Li <tli@nexb.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.