feat: Add config for using packages api for maven/npm/python issues

This API does not return licensing issues so option is behind config flag

BREAKING CHANGE: New configuration options that can result in some loss of functionality

Author: calhar-snyk

.circleci/config.yml

@@ -7,7 +7,7 @@ jobs:
   security-scans:
     resource_class: small
     docker:
-      - image: cimg/openjdk:17.0
+      - image: cimg/openjdk:21.0
     steps:
       - checkout
       - prodsec/security_scans:

core/src/main/java/io/snyk/plugins/artifactory/PropertyLoader.java

@@ -8,7 +8,6 @@
 import java.util.Properties;
 
 import static java.lang.String.format;
-import static java.nio.charset.StandardCharsets.UTF_8;
 
 final class PropertyLoader {
 
@@ -53,6 +52,6 @@ static String loadPluginVersion(@Nonnull File pluginsDirectory) throws IOExcepti
       throw new IOException(format(FILE_NOT_FOUND_ERROR_MESSAGE, pluginVersionFile.getAbsolutePath()));
     }
 
-    return new String(Files.readAllBytes(pluginVersionFile.toPath()), UTF_8);
+    return Files.readString(pluginVersionFile.toPath());
   }
 }

core/src/main/java/io/snyk/plugins/artifactory/SnykPlugin.java

@@ -52,15 +52,15 @@ public SnykPlugin(@Nonnull Repositories repositories, File pluginsDirectory) {
       validateConfiguration();
 
       LOG.info("Creating api client and modules...");
-      LOG.info("BaseURL:" + configurationModule.getPropertyOrDefault(API_URL));
-      LOG.info("Organization:" + configurationModule.getPropertyOrDefault(API_ORGANIZATION));
+      LOG.info("BaseURL: {}", configurationModule.getPropertyOrDefault(API_URL));
+      LOG.info("Organization: {}", configurationModule.getPropertyOrDefault(API_ORGANIZATION));
       String token = configurationModule.getPropertyOrDefault(API_TOKEN);
       if (null != token && token.length() > 4) {
         token = token.substring(0, 4) + "...";
       } else {
         token = "no token configured";
       }
-      LOG.debug("Token:" + token);
+      LOG.debug("Token: {}", token);
       final SnykClient snykClient = createSnykClient(configurationModule, pluginVersion);
 
       auditModule = new AuditModule();
@@ -191,8 +191,8 @@ private SnykClient createSnykClient(@Nonnull ConfigurationModule configurationMo
       .build();
 
     LOG.debug("about to log config...");
-    LOG.debug("config.httpProxyHost: " + config.httpProxyHost);
-    LOG.debug("config.httpProxyPort: " + config.httpProxyPort);
+    LOG.debug("config.httpProxyHost: {}", config.httpProxyHost);
+    LOG.debug("config.httpProxyPort: {}", config.httpProxyPort);
 
     final SnykClient snykClient = new SnykClient(config);
 

core/src/main/java/io/snyk/plugins/artifactory/configuration/PluginConfiguration.java

@@ -8,6 +8,14 @@ public enum PluginConfiguration implements Configuration {
   API_SSL_CERTIFICATE_PATH("snyk.api.sslCertificatePath", ""),
   API_TRUST_ALL_CERTIFICATES("snyk.api.trustAllCertificates", "false"),
   API_TIMEOUT("snyk.api.timeout", "60000"),
+  /* API_REST_ENABLED is used to determine whether to use the REST API or the legacy API
+   * for the Maven, Npm, and Python scanners.
+   * This results in different behavior:
+   * - the REST API does not provide licensing information, but does provide vulnerability information
+   * - the legacy API provides both licensing and vulnerability information
+   * This does not affect the RubyGems, Nuget, and CocoaPods scanners, which only use the REST API.
+   */
+  API_REST_ENABLED("snyk.api.rest.enabled", "false"),
 
   HTTP_PROXY_HOST("snyk.http.proxyHost", ""),
   HTTP_PROXY_PORT("snyk.http.proxyPort", "80"),

core/src/main/java/io/snyk/plugins/artifactory/scanner/ScannerModule.java

@@ -76,7 +76,7 @@ private ArtifactProperties properties(RepoPath repoPath) {
 
   private @NotNull Optional<MonitoredArtifact> runTest(RepoPath repoPath) {
     return ecosystemResolver.getFor(repoPath)
-      .flatMap(ecosystem -> scannerResolver.getFor(ecosystem))
+      .flatMap(scannerResolver::getFor)
       .map(scanner -> runTestWith(scanner, repoPath));
   }
 

core/src/main/java/io/snyk/plugins/artifactory/scanner/ScannerResolver.java

@@ -4,8 +4,14 @@
 import io.snyk.plugins.artifactory.configuration.PluginConfiguration;
 import io.snyk.plugins.artifactory.ecosystem.Ecosystem;
 import io.snyk.plugins.artifactory.scanner.cocoapods.CocoapodsScanner;
+import io.snyk.plugins.artifactory.scanner.maven.MavenPurlScanner;
+import io.snyk.plugins.artifactory.scanner.maven.MavenScanner;
+import io.snyk.plugins.artifactory.scanner.npm.NpmPurlScanner;
+import io.snyk.plugins.artifactory.scanner.npm.NpmScanner;
 import io.snyk.plugins.artifactory.scanner.nuget.NugetScanner;
 import io.snyk.plugins.artifactory.scanner.purl.PurlScanner;
+import io.snyk.plugins.artifactory.scanner.python.PythonPurlScanner;
+import io.snyk.plugins.artifactory.scanner.python.PythonScanner;
 import io.snyk.plugins.artifactory.scanner.rubygems.RubyGemsScanner;
 import io.snyk.sdk.api.SnykClient;
 import org.slf4j.Logger;
@@ -17,6 +23,7 @@
 import java.util.function.Function;
 
 import static io.snyk.plugins.artifactory.configuration.PluginConfiguration.API_ORGANIZATION;
+import static io.snyk.plugins.artifactory.configuration.PluginConfiguration.API_REST_ENABLED;
 
 public class ScannerResolver {
   private static final Logger LOG = LoggerFactory.getLogger(ScannerResolver.class);
@@ -52,13 +59,24 @@ public Optional<PackageScanner> getFor(Ecosystem ecosystem) {
   public static ScannerResolver setup(ConfigurationModule configurationModule, SnykClient snykClient) {
     String orgId = configurationModule.getProperty(API_ORGANIZATION);
     PurlScanner purlScanner = new PurlScanner(snykClient, orgId);
-    return new ScannerResolver(configurationModule::getPropertyOrDefault)
-      .register(Ecosystem.MAVEN, new MavenScanner(configurationModule, snykClient))
-      .register(Ecosystem.NPM, new NpmScanner(configurationModule, snykClient))
-      .register(Ecosystem.PYPI, new PythonScanner(configurationModule, snykClient))
+    var scannerResolver = new ScannerResolver(configurationModule::getPropertyOrDefault);
+
+    if (Boolean.parseBoolean(configurationModule.getPropertyOrDefault(API_REST_ENABLED))) {
+      scannerResolver
+        .register(Ecosystem.MAVEN, new MavenPurlScanner(purlScanner))
+        .register(Ecosystem.NPM, new NpmPurlScanner(purlScanner))
+        .register(Ecosystem.PYPI, new PythonPurlScanner(purlScanner));
+    } else {
+      scannerResolver
+        .register(Ecosystem.MAVEN, new MavenScanner(configurationModule, snykClient))
+        .register(Ecosystem.NPM, new NpmScanner(configurationModule, snykClient))
+        .register(Ecosystem.PYPI, new PythonScanner(configurationModule, snykClient));
+    }
+    scannerResolver
       .register(Ecosystem.RUBYGEMS, new RubyGemsScanner(purlScanner))
       .register(Ecosystem.NUGET, new NugetScanner(purlScanner))
       .register(Ecosystem.COCOAPODS, new CocoapodsScanner(purlScanner))
       ;
+    return scannerResolver;
   }
 }

core/src/main/java/io/snyk/plugins/artifactory/scanner/maven/MavenPackage.java

@@ -0,0 +1,50 @@
+package io.snyk.plugins.artifactory.scanner.maven;
+
+import org.artifactory.fs.FileLayoutInfo;
+import org.slf4j.Logger;
+
+import java.util.Optional;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
+public class MavenPackage {
+  private static final Logger LOG = getLogger(MavenPackage.class);
+  private final String groupID;
+  private final String artifactID;
+  private final String version;
+
+  public MavenPackage(String groupID, String artifactID, String version) {
+    this.groupID = groupID;
+    this.artifactID = artifactID;
+    this.version = version;
+  }
+
+  public String getGroupID() {
+    return groupID;
+  }
+
+  public String getArtifactID() {
+    return artifactID;
+  }
+
+  public String getName() {
+    return groupID + "/" + artifactID;
+  }
+
+  public String getVersion() {
+    return version;
+  }
+
+  public static Optional<MavenPackage> parse(FileLayoutInfo fileLayoutInfo) {
+    String groupID = fileLayoutInfo.getOrganization();
+    String artifactID = fileLayoutInfo.getModule();
+    String version = fileLayoutInfo.getBaseRevision();
+
+    if (groupID == null || artifactID == null || version == null) {
+      LOG.warn("Maven package details not provided in FileLayoutInfo");
+      return Optional.empty();
+    }
+
+    return Optional.of(new MavenPackage(groupID, artifactID, version));
+  }
+}

core/src/main/java/io/snyk/plugins/artifactory/scanner/maven/MavenPurlScanner.java

@@ -0,0 +1,41 @@
+package io.snyk.plugins.artifactory.scanner.maven;
+
+import io.snyk.plugins.artifactory.exception.CannotScanException;
+import io.snyk.plugins.artifactory.model.TestResult;
+import io.snyk.plugins.artifactory.scanner.PackageScanner;
+import io.snyk.plugins.artifactory.scanner.SnykDetailsUrl;
+import io.snyk.plugins.artifactory.scanner.purl.PurlScanner;
+import org.artifactory.fs.FileLayoutInfo;
+import org.artifactory.repo.RepoPath;
+import org.slf4j.Logger;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
+public class MavenPurlScanner implements PackageScanner {
+
+  private static final Logger LOG = getLogger(MavenPurlScanner.class);
+  private final PurlScanner purlScanner;
+
+  public MavenPurlScanner(PurlScanner purlScanner) {
+    this.purlScanner = purlScanner;
+  }
+
+  @Override
+  public TestResult scan(FileLayoutInfo fileLayoutInfo, RepoPath repoPath) {
+    LOG.debug("Maven: repoPath.getName() {}", repoPath.getName());
+
+    MavenPackage pckg = MavenPackage.parse(fileLayoutInfo)
+      .orElseThrow(() -> new CannotScanException("Maven package details not provided"));
+
+    String purl = "pkg:maven/" + pckg.getName() + "@" + pckg.getVersion();
+
+    String packageDetailsUrl = getArtifactDetailsURL(pckg.getGroupID(), pckg.getArtifactID(), pckg.getVersion());
+
+    return purlScanner.scan(purl, packageDetailsUrl);
+  }
+
+  public static String getArtifactDetailsURL(String groupID, String artifactID, String artifactVersion) {
+    return SnykDetailsUrl.create("maven", groupID + ":" + artifactID, artifactVersion).toString();
+  }
+}
+

…ns/artifactory/scanner/MavenScanner.java …ifactory/scanner/maven/MavenScanner.javacore/src/main/java/io/snyk/plugins/artifactory/scanner/MavenScanner.java renamed to core/src/main/java/io/snyk/plugins/artifactory/scanner/maven/MavenScanner.java core/src/main/java/io/snyk/plugins/artifactory/scanner/MavenScanner.java renamed to core/src/main/java/io/snyk/plugins/artifactory/scanner/maven/MavenScanner.java

@@ -1,8 +1,11 @@
-package io.snyk.plugins.artifactory.scanner;
+package io.snyk.plugins.artifactory.scanner.maven;
 
 import io.snyk.plugins.artifactory.configuration.ConfigurationModule;
 import io.snyk.plugins.artifactory.exception.CannotScanException;
 import io.snyk.plugins.artifactory.exception.SnykAPIFailureException;
+import io.snyk.plugins.artifactory.scanner.PackageScanner;
+import io.snyk.plugins.artifactory.scanner.SnykDetailsUrl;
+import io.snyk.plugins.artifactory.scanner.TestResultConverter;
 import io.snyk.sdk.api.SnykClient;
 import io.snyk.sdk.api.SnykResult;
 import io.snyk.sdk.model.TestResult;
@@ -17,14 +20,14 @@
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.slf4j.LoggerFactory.getLogger;
 
-class MavenScanner implements PackageScanner {
+public class MavenScanner implements PackageScanner {
 
   private static final Logger LOG = getLogger(MavenScanner.class);
 
   private final ConfigurationModule configurationModule;
   private final SnykClient snykClient;
 
-  MavenScanner(ConfigurationModule configurationModule, SnykClient snykClient) {
+  public MavenScanner(ConfigurationModule configurationModule, SnykClient snykClient) {
     this.configurationModule = configurationModule;
     this.snykClient = snykClient;
   }

core/src/main/java/io/snyk/plugins/artifactory/scanner/npm/NpmPackage.java

@@ -0,0 +1,50 @@
+package io.snyk.plugins.artifactory.scanner.npm;
+
+import org.slf4j.Logger;
+
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
+public class NpmPackage {
+  private static final Logger LOG = getLogger(NpmPackage.class);
+  private final String name;
+  private final String version;
+
+  public NpmPackage(String name, String version) {
+    this.name = name;
+    this.version = version;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public String getVersion() {
+    return version;
+  }
+
+  public static Optional<NpmPackage> parse(String repoPath) {
+    if (repoPath == null) {
+      LOG.warn("Unexpected package path: null");
+      return Optional.empty();
+    }
+
+    // Pattern matches the full repo path: npm:lodash/-/lodash-4.17.15.tgz
+    // Extracts package name before /-/ and version after last hyphen before .tgz
+    Pattern pattern = Pattern.compile("^(?:.+:)?(?<packageName>.+)/-/.+-(?<packageVersion>\\d+\\.\\d+\\.\\d+.*)\\.tgz$");
+    Matcher matcher = pattern.matcher(repoPath);
+    
+    if (!matcher.matches()) {
+      LOG.warn("Unexpected Npm package path: {}", repoPath);
+      return Optional.empty();
+    }
+
+    return Optional.of(new NpmPackage(
+      matcher.group("packageName"),
+      matcher.group("packageVersion")
+    ));
+  }
+}