refactor!: remove the automatic sbom generation feature for Java

Signed-off-by: behnazh-w <[email protected]>

Author: behnazh-w

Makefile

@@ -85,34 +85,19 @@ venv:
 # So we create the dist dir if it doesn't exist in the setup target.
 # See https://packaging.python.org/en/latest/tutorials/packaging-projects/#generating-distribution-archives.
 # We also install cyclonedx-go to generate SBOM for Go, compile the Go modules,
-# install SLSA verifier binary, download mvnw, and gradlew.
+# and install SLSA verifier binary.
 .PHONY: setup
 setup: force-upgrade setup-go setup-binaries setup-schemastore
 	pre-commit install
 	mkdir -p dist
 	go install github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected]
 setup-go:
 	go build -o $(PACKAGE_PATH)/bin/ $(REPO_PATH)/golang/cmd/...
-setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier $(PACKAGE_PATH)/resources/mvnw $(PACKAGE_PATH)/resources/gradlew souffle gnu-sed
+setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier souffle gnu-sed
 $(PACKAGE_PATH)/bin/slsa-verifier:
 	git clone --depth 1 https://github.com/slsa-framework/slsa-verifier.git -b v2.7.1
 	cd slsa-verifier/cli/slsa-verifier && go build -o $(PACKAGE_PATH)/bin/
 	cd $(REPO_PATH) && rm -rf slsa-verifier
-$(PACKAGE_PATH)/resources/mvnw:
-	cd $(PACKAGE_PATH)/resources \
-		&& wget https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper-distribution/3.1.1/maven-wrapper-distribution-3.1.1-bin.zip \
-		&& unzip -o maven-wrapper-distribution-3.1.1-bin.zip \
-		&& rm -r maven-wrapper-distribution-3.1.1-bin.zip \
-		&& echo -e "distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.6/apache-maven-3.8.6-bin.zip\nwrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.1/maven-wrapper-3.1.1.jar" > .mvn/wrapper/maven-wrapper.properties \
-		&& cd $(REPO_PATH)
-$(PACKAGE_PATH)/resources/gradlew:
-	cd $(PACKAGE_PATH)/resources \
-		&& export GRADLE_VERSION=7.6 \
-		&& wget https://services.gradle.org/distributions/gradle-$$GRADLE_VERSION-bin.zip \
-		&& unzip -o gradle-$$GRADLE_VERSION-bin.zip \
-		&& rm -r gradle-$$GRADLE_VERSION-bin.zip \
-		&& gradle-$$GRADLE_VERSION/bin/gradle wrapper \
-		&& cd $(REPO_PATH)
 setup-schemastore: $(PACKAGE_PATH)/resources/schemastore/github-workflow.json $(PACKAGE_PATH)/resources/schemastore/LICENSE $(PACKAGE_PATH)/resources/schemastore/NOTICE
 $(PACKAGE_PATH)/resources/schemastore/github-workflow.json:
 	cd $(PACKAGE_PATH)/resources \
@@ -433,11 +418,7 @@ clean: dist-clean bin-clean docs-clean
 nuke-caches: clean
 	find src/ -type d -name __pycache__ -exec rm -fr {} +
 	find tests/ -type d -name __pycache__ -exec rm -fr {} +
-nuke-mvnw:
-	cd $(PACKAGE_PATH)/resources \
-	&& rm mvnw mvnw.cmd mvnwDebug mvnwDebug.cmd \
-	&& cd $(REPO_PATH)
-nuke: nuke-caches nuke-mvnw
+nuke: nuke-caches
 	if [ ! -z "${VIRTUAL_ENV}" ]; then \
 	  echo "Please deactivate the virtual environment first!" && exit 1; \
 	fi

docker/user.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # We update the GID and UID of the existing macaron user in the container
@@ -16,35 +16,6 @@ else
     echo "Consider providing the GID and UID via the env variables USER_GID and USER_UID respectively."
 fi
 
-# Prepare settings.xml because
-# We mount .m2 dir to the host machine
-# We cannot copy those files while building the image
-# because they will be bypassed.
-if [[ ! -f "$HOME/.m2/settings.xml" ]] && [[ -n "$PACKAGE_PATH" ]];
-then
-    if [[ ! -d "$HOME/.m2" ]];
-    then
-        mkdir --parents "$HOME"/.m2
-    fi
-    cp "$PACKAGE_PATH"/resources/settings.xml "$HOME"/.m2/
-fi
-
-# Overwrite $HOME/.m2/settings.xml if the global settings.xml file is mounted from the host machine.
-if [[ -f "$HOME/settings.xml" ]];
-then
-    cp "$HOME/settings.xml" "$HOME/.m2/settings.xml"
-fi
-
-# Create $HOME/.gradle/gradle.properties if the global gradle.properties file is mounted from the host machine.
-if [[ ! -d "$HOME/.gradle" ]];
-then
-    mkdir --parents "$HOME"/.gradle
-fi
-if [[ -f "$HOME/gradle.properties" ]];
-then
-    cp "$HOME"/gradle.properties "$HOME/.gradle/gradle.properties"
-fi
-
 # Prepare the output directory. The output directory will be already existed
 # if we mount from the host machine.
 if [[ ! -d "$HOME/output" ]];

docs/source/pages/developers_guide/apidoc/macaron.dependency_analyzer.rst

@@ -17,22 +17,6 @@ macaron.dependency\_analyzer.cyclonedx module
    :show-inheritance:
    :undoc-members:
 
-macaron.dependency\_analyzer.cyclonedx\_gradle module
------------------------------------------------------
-
-.. automodule:: macaron.dependency_analyzer.cyclonedx_gradle
-   :members:
-   :show-inheritance:
-   :undoc-members:
-
-macaron.dependency\_analyzer.cyclonedx\_mvn module
---------------------------------------------------
-
-.. automodule:: macaron.dependency_analyzer.cyclonedx_mvn
-   :members:
-   :show-inheritance:
-   :undoc-members:
-
 macaron.dependency\_analyzer.cyclonedx\_python module
 -----------------------------------------------------
 

docs/source/pages/developers_guide/apidoc/macaron.malware_analyzer.pypi_heuristics.metadata.rst

@@ -33,6 +33,14 @@ macaron.malware\_analyzer.pypi\_heuristics.metadata.empty\_project\_link module
    :show-inheritance:
    :undoc-members:
 
+macaron.malware\_analyzer.pypi\_heuristics.metadata.fake\_email module
+----------------------------------------------------------------------
+
+.. automodule:: macaron.malware_analyzer.pypi_heuristics.metadata.fake_email
+   :members:
+   :show-inheritance:
+   :undoc-members:
+
 macaron.malware\_analyzer.pypi\_heuristics.metadata.high\_release\_frequency module
 -----------------------------------------------------------------------------------
 
@@ -49,6 +57,14 @@ macaron.malware\_analyzer.pypi\_heuristics.metadata.one\_release module
    :show-inheritance:
    :undoc-members:
 
+macaron.malware\_analyzer.pypi\_heuristics.metadata.similar\_projects module
+----------------------------------------------------------------------------
+
+.. automodule:: macaron.malware_analyzer.pypi_heuristics.metadata.similar_projects
+   :members:
+   :show-inheritance:
+   :undoc-members:
+
 macaron.malware\_analyzer.pypi\_heuristics.metadata.source\_code\_repo module
 -----------------------------------------------------------------------------
 

docs/source/pages/supported_technologies/index.rst

@@ -115,8 +115,6 @@ Automatic dependency resolution
 
 Currently, we support the following type of project for automatic dependency resolution.
 
-* Java Maven
-* Java Gradle
 * Python (with a Python virtual environment created and packages installed using Python3.11, see :ref:`providing Python virtual environment <python-venv-deps>`.)
 
 --------

docs/source/pages/tutorials/detect_malicious_java_dep.rst

@@ -66,11 +66,11 @@ Skip this section if you already know how to install Macaron.
 Run ``analyze`` command
 ***********************
 
-First, we need to run the ``analyze`` command of Macaron to run a number of :ref:`checks <checks>` and collect evidence for  ``example-maven-app`` and its dependencies.
+First, we need to run the ``analyze`` command of Macaron to run a number of :ref:`checks <checks>` and collect evidence for  ``example-maven-app`` and its dependencies. You need to generate the SBOM and provide it to Macaron. For more details see the instructions : :ref:`here <with-sbom>`.
 
 .. code-block:: shell
 
-  ./run_macaron.sh analyze -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar -rp https://github.com/behnazh-w/example-maven-app --deps-depth=1
+  ./run_macaron.sh analyze -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar -rp https://github.com/behnazh-w/example-maven-app --deps-depth=1 -sbom sbom.json
 
 .. note:: By default, Macaron clones the repositories and creates output files under the ``output`` directory. To understand the structure of this directory please see :ref:`Output Files Guide <output_files_guide>`.
 
@@ -98,7 +98,7 @@ As you can see, some of the checks are passing and some are failing. In summary,
 * but it is not deploying any artifacts automatically (``mcn_build_as_code_1``)
 * and no CI workflow runs are detected that automatically publish artifacts (``mcn_find_artifact_pipeline_1``)
 
-As you scroll down in the HTML report, you will see a section for the dependencies that were automatically identified:
+As you scroll down in the HTML report, you will see a section for the dependencies that were identified from the provided ``sbom.json``:
 
 .. _fig_example-maven-app-deps:
 

pyproject.toml

@@ -32,8 +32,8 @@ dependencies = [
     "packageurl-python >= 0.11.1,<1.0.0",
     "ruamel.yaml >= 0.18.6,<1.0.0",
     "jsonschema >= 4.22.0,<5.0.0",
-    "cyclonedx-bom >=4.0.0,<5.0.0",
-    "cyclonedx-python-lib[validation] >=7.3.4,<8.0.0",
+    "cyclonedx-bom >=7.0.0,<8.0.0",
+    "cyclonedx-python-lib[validation] >=8.0.0,<11.0.0",
     "beautifulsoup4 >= 4.12.0,<5.0.0",
     "problog >= 2.2.6,<3.0.0",
     "cryptography >=44.0.0,<45.0.0",
@@ -78,7 +78,7 @@ dev = [
     "types-jsonschema >=4.22.0,<5.0.0",
     "pip-audit >=2.5.6,<3.0.0",
     "pylint >=3.0.3,<4.0.0",
-    "cyclonedx-bom >=4.0.0,<5.0.0",
+    "cyclonedx-bom >=7.0.0,<8.0.0",
     "types-beautifulsoup4 >= 4.12.0,<5.0.0",
 ]
 docs = [
@@ -274,5 +274,7 @@ filterwarnings = [
     # https://docs.pytest.org/en/latest/how-to/failures.html#warning-about-unraisable-exceptions-and-unhandled-thread-exceptions
     "error::pytest.PytestUnraisableExceptionWarning",
     "error::pytest.PytestUnhandledThreadExceptionWarning",
+    # Remove the following when this issue is fixed: https://github.com/CycloneDX/cyclonedx-python-lib/issues/870
+    "ignore::DeprecationWarning:cyclonedx.model.tool",
     "error::DeprecationWarning:pkg_resources",
 ]

src/macaron/config/defaults.ini

@@ -33,12 +33,6 @@ timeout = 30
 
 # This is the dependency resolver tool to generate SBOM.
 [dependency.resolver]
-# Should be in <tool>:<version> format.
-# The supported tools for Maven is cyclonedx-maven.
-# The supported tools for Gradle is cyclonedx-gradle.
-# The version of the dependency resolver should conform with semantic versioning.
-dep_tool_maven = cyclonedx-maven:2.6.2
-dep_tool_gradle = cyclonedx-gradle:1.7.4
 # This is the timeout (in seconds) to run the dependency resolver.
 timeout = 2400
 # Determines whether the CycloneDX BOM file should be validated or not.

src/macaron/config/global_config.py

@@ -73,7 +73,7 @@ def load(
         local_repos_path : str
             The directory to look for local repositories.
         resources_path : str
-            The path to the resources files needed for the analysis (i.e. mvnw, gradlew, etc.)
+            The path to the resource files needed for the analysis.
         """
         self.macaron_path = macaron_path
         self.output_path = output_path