From 4082e0a566179aa25ea50e870d077e2b8318995e Mon Sep 17 00:00:00 2001
From: Jessica Wagantall <jwagantall@linuxfoundation.org>
Date: Tue, 29 Nov 2022 11:55:03 -0800
Subject: [PATCH] Fix: Use NEXUS_TARGET_BUILD in Nexus IQ CLI scanner

Replace Nexus IQ build Target from "${REQUIREMENTS_FILE}"
to "${NEXUS_TARGET_BUILD}".
The scanner is only including the requirements.txt
file in its scan which should not contain other information
than python package requirements.

Instead, use a "${NEXUS_TARGET_BUILD}" parameter which the
user can optionally provide to the scanner to indicate a
file or directory to include in the scan. By default, this
variable is **/*.

For more information on how to use the "Target" parameter:
https://help.sonatype.com/iqserver/integrations/nexus-iq-cli#NexusIQCLI

Issue: RELENG-4530
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
Change-Id: Ifb6947de3d0ff282d461b12332e6d4c2f4ac0198
---
 docs/jjb/lf-python-jobs.rst                                      | 2 ++
 jjb/lf-python-jobs.yaml                                          | 5 +++++
 .../notes/nexus-python-cli-build-target-f54c9b07b4181ba4.yaml    | 9 +++++++++
 shell/nexus-iq-python-cli.sh                                     | 7 +------
 4 files changed, 17 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/nexus-python-cli-build-target-f54c9b07b4181ba4.yaml

diff --git a/docs/jjb/lf-python-jobs.rst b/docs/jjb/lf-python-jobs.rst
index 36f2779b..036a9122 100644
--- a/docs/jjb/lf-python-jobs.rst
+++ b/docs/jjb/lf-python-jobs.rst
@@ -112,6 +112,8 @@ does not support multi-branch.
         share a Nexus IQ system to avoid project name collision. We recommend
         inserting a trailing - dash if using this parameter.
         For example 'odl-'. (default: '')
+    :nexus-target-build: Target directory or file to be scanned by Nexus IQ CLI
+        (default: "\*\*/\*")
     :pre-build-script: Shell script to run before tox. Useful for setting up
         dependencies. (default: a string with a shell comment)
     :python-version: Python version to invoke pip install of tox-pyenv
diff --git a/jjb/lf-python-jobs.yaml b/jjb/lf-python-jobs.yaml
index d9fcdb82..0f5391a5 100644
--- a/jjb/lf-python-jobs.yaml
+++ b/jjb/lf-python-jobs.yaml
@@ -86,6 +86,7 @@
     java-version: openjdk11 # Scanner is a jar
     nexus-iq-cli-version: 1.140.0-01
     nexus-iq-namespace: "" # Recommend a trailing dash when set. Example: odl-
+    nexus-target-build: "**/*"
     pre-build-script: "# pre-build script goes here"
     python-version: python3
     requirements-file: requirements.txt
@@ -118,6 +119,10 @@
           name: NEXUS_IQ_CLI_VERSION
           default: "{nexus-iq-cli-version}"
           description: Nexus IQ CLI jar to download and run.
+      - string:
+          name: NEXUS_TARGET_BUILD
+          default: "{nexus-target-build}"
+          description: File or dir to scan by Nexus CLI.
 
     wrappers:
       - lf-infra-wrappers:
diff --git a/releasenotes/notes/nexus-python-cli-build-target-f54c9b07b4181ba4.yaml b/releasenotes/notes/nexus-python-cli-build-target-f54c9b07b4181ba4.yaml
new file mode 100644
index 00000000..64430c59
--- /dev/null
+++ b/releasenotes/notes/nexus-python-cli-build-target-f54c9b07b4181ba4.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Replace Nexus IQ build Target from "${REQUIREMENTS_FILE}" to "${NEXUS_TARGET_BUILD}".
+    The scanner is only including the requirements.txt file in its scan which
+    should not contain other information than python package requirements.
+    Instead, use a "${NEXUS_TARGET_BUILD}" parameter which the user can optionally provide to
+    the scanner to indicate a file or directory to include in the scan. By default, this
+    variable is configured to scan all files in the repo.
diff --git a/shell/nexus-iq-python-cli.sh b/shell/nexus-iq-python-cli.sh
index 7e105c94..929cf8ed 100644
--- a/shell/nexus-iq-python-cli.sh
+++ b/shell/nexus-iq-python-cli.sh
@@ -17,11 +17,6 @@ echo "---> nexus-iq-python-cli.sh"
 set -eu
 # do not print commands, credentials should not be logged
 set +x
-# check if tox established the prereqs for this analysis
-if [[ ! -f $REQUIREMENTS_FILE ]]; then
-    echo "ERROR: failed to find file $REQUIREMENTS_FILE"
-    exit 1
-fi
 CLI_LOCATION="/tmp/nexus-iq-cli-${NEXUS_IQ_CLI_VERSION}.jar"
 echo "INFO: downloading nexus-iq-cli version $NEXUS_IQ_CLI_VERSION"
 wget -nv "https://download.sonatype.com/clm/scanner/nexus-iq-cli-${NEXUS_IQ_CLI_VERSION}.jar" -O "${CLI_LOCATION}"
@@ -31,7 +26,7 @@ echo "INFO: running nexus-iq-cli on project $NEXUS_IQ_PROJECT_NAME and file $REQ
 # result.json is a mystery
 java -jar "${CLI_LOCATION}" @cli-auth.txt \
     -s https://nexus-iq.wl.linuxfoundation.org -i "${NEXUS_IQ_PROJECT_NAME}" \
-    -t build -r result.json "${REQUIREMENTS_FILE}"
+    -t build -r result.json "${NEXUS_TARGET_BUILD}"
 rm cli-auth.txt
 rm "${CLI_LOCATION}"
 
-- 
2.16.6