From: Kevin Sandi Date: Thu, 5 Jun 2025 06:03:11 +0000 (-0600) Subject: Feat: Add Nexus IQ scan through REST API X-Git-Tag: v0.92.0^0 X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;ds=sidebyside;p=releng%2Fglobal-jjb.git Feat: Add Nexus IQ scan through REST API Additionally convert dep5 config to REUSE.toml as per reusable-workflows enforces using REUSE.toml from now on. Signed-off-by: Kevin Sandi Change-Id: I2004c34ebec30bc10b0fce32bf0d9c89374edd8a --- diff --git a/.reuse/dep5 b/.reuse/dep5 deleted file mode 100644 index adac1679..00000000 --- a/.reuse/dep5 +++ /dev/null @@ -1,49 +0,0 @@ -Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ - -Files: .github/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: node_modules/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: tests/.mypy* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: tests/__pycache__/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: relnotes/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: releasenotes/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: jjb/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: .jjb-test/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: docs/* -Copyright: 2017 The Linux Foundation -License: CC-BY-4.0 - -Files: jenkins-admin/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: schema/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 - -Files: reusable-tox-run-action/* -Copyright: 2017 The Linux Foundation -License: EPL-1.0 diff --git a/REUSE.toml b/REUSE.toml new file mode 100644 index 00000000..e7686e89 --- /dev/null +++ b/REUSE.toml @@ -0,0 +1,73 @@ +version = 1 + +[[annotations]] +path = ".github/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = "node_modules/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = "tests/.mypy**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = "tests/__pycache__/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = "relnotes/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = "releasenotes/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = "jjb/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = ".jjb-test/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = "docs/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "CC-BY-4.0" + +[[annotations]] +path = "jenkins-admin/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = "schema/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" + +[[annotations]] +path = "reusable-tox-run-action/**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2017 The Linux Foundation" +SPDX-License-Identifier = "EPL-1.0" diff --git a/docs/jjb/lf-go-jobs.rst b/docs/jjb/lf-go-jobs.rst index 9b88d6bb..2fb82e7b 100644 --- a/docs/jjb/lf-go-jobs.rst +++ b/docs/jjb/lf-go-jobs.rst @@ -17,7 +17,16 @@ Calls go-test.sh script against a Go project. lf-infra-nexus-iq-go-cli ------------------------ -Calls nexus-iq-go-cli.sh to CLM scan a Go project. +Calls nexus-iq-go-cli.sh to CLM scan a Go project through CLI. + +:Required Parameters: + + :NEXUS_IQ_PROJECT_NAME: Nexus IQ project name that will receive the CLM scan results. + +lf-infra-nexus-iq-go-api +------------------------ + +Calls nexus-iq-go-api.sh to CLM scan a Go project through REST API. :Required Parameters: diff --git a/jjb/lf-go-jobs.yaml b/jjb/lf-go-jobs.yaml index 81e10aab..adb6b840 100644 --- a/jjb/lf-go-jobs.yaml +++ b/jjb/lf-go-jobs.yaml @@ -17,6 +17,14 @@ NEXUS_IQ_PROJECT_NAME={nexus-iq-project-name} - shell: !include-raw-escape: ../shell/nexus-iq-go-cli.sh +- builder: + name: lf-infra-nexus-iq-go-api + builders: + - inject: + properties-content: | + NEXUS_IQ_PROJECT_NAME={nexus-iq-project-name} + - shell: !include-raw-escape: ../shell/nexus-iq-go-api.sh + ############ # WRAPPERS # ############ @@ -344,6 +352,7 @@ git-url: "$GIT_URL/$PROJECT" github-url: "https://github.com" java-version: openjdk17 # Scanner is a jar + nexus-iq-use-cli: true nexus-iq-cli-version: 1.185.0-01 nexus-iq-namespace: "" # Recommend a trailing dash when set. Example: odl- nexus-target-build: "go.sum" @@ -395,8 +404,24 @@ - lf-update-java-alternatives: java-version: "{java-version}" - shell: "{pre-build-script}" - - lf-infra-nexus-iq-go-cli: - nexus-iq-project-name: "{nexus-iq-namespace}{project-name}" + # With CLI + - conditional-step: + condition-kind: boolean-expression + condition-expression: "{nexus-iq-use-cli}" + steps: + - shell: echo 'Using Nexus IQ CLI' + - lf-infra-nexus-iq-go-cli: + nexus-iq-project-name: "{nexus-iq-namespace}{project-name}" + # With REST API + - conditional-step: + condition-kind: not + condition-operand: + condition-kind: boolean-expression + condition-expression: "{nexus-iq-use-cli}" + steps: + - shell: echo 'Using Nexus IQ REST API' + - lf-infra-nexus-iq-go-api: + nexus-iq-project-name: "{nexus-iq-namespace}{project-name}" - job-template: name: "{project-name}-nexus-iq-go-clm-{stream}" diff --git a/releasenotes/notes/nexus-iq-scan-through-api-336e114fb52f6183.yaml b/releasenotes/notes/nexus-iq-scan-through-api-336e114fb52f6183.yaml new file mode 100644 index 00000000..cb6c1525 --- /dev/null +++ b/releasenotes/notes/nexus-iq-scan-through-api-336e114fb52f6183.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add support for running Nexus IQ scan through REST API when CLI option + is not enough, like when scanning a Golang project which requires + scanning the bom.xml file and CLI doesn't support it properly. diff --git a/shell/nexus-iq-go-api.sh b/shell/nexus-iq-go-api.sh new file mode 100644 index 00000000..2c7dafd3 --- /dev/null +++ b/shell/nexus-iq-go-api.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2025 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> nexus-iq-go-api.sh" +# This script installs and runs cyclonedx-gomod to generate an SBOM xml +# for the Go project, then uses Nexus IQ REST API to analyze the Go project +# dependencies and publishes the result to Nexus IQ server. + +# stop on error or unbound variable +set -eu +# do not print commands, credentials should not be logged +set +x + +# shellcheck disable=SC1090 +. ~/lf-env.sh + +go version +go mod tidy + +echo "INFO: running Nexus IQ scan (through REST API) on project $NEXUS_IQ_PROJECT_NAME and target: bom.xml" + +go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest +PATH=$PATH:$(go env GOPATH)/bin +export PATH +cyclonedx-gomod mod -output bom.xml -output-version 1.5 # upgrade to latest SBOM schema version when Nexus IQ version >= 180 + +APP_ID=$(curl -u "${NEXUS_IQ_USER}:${NEXUS_IQ_PASSWORD}" \ + -X GET "https://nexus-iq.wl.linuxfoundation.org/api/v2/applications?publicId={$NEXUS_IQ_PROJECT_NAME}" \ + -s \ + | jq -r ".applications[].id") + +curl -u "${NEXUS_IQ_USER}:${NEXUS_IQ_PASSWORD}" \ + -X POST -H "Content-Type: application/xml" --data "@bom.xml" \ + "https://nexus-iq.wl.linuxfoundation.org/api/v2/scan/applications/$APP_ID/sources/cyclonedx" + +echo "---> nexus-iq-go-api.sh ends"