Merge pull request #119 from Contrast-Security-OSS/JAVA-8427-migrate-maven-plugin

JAVA-8427 migrate maven plugin to sdk repo

Author: BrianPhillips2020

.github/workflows/build-maven-plugin.yml

@@ -0,0 +1,38 @@
+name: build
+
+on: [push]
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dangoslen/changelog-enforcer@v3
+  build:
+    name: Verify
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-java@v4
+        with:
+          java-version: 11
+          distribution: temurin
+
+      - uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: temurin
+
+      - uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: temurin
+
+      - name: Maven Verify
+        env:
+          CONTRAST__API__URL: ${{ secrets.CONTRAST__API__URL }}
+          CONTRAST__API__USER_NAME: ${{ secrets.CONTRAST__API__USER_NAME }}
+          CONTRAST__API__API_KEY: ${{ secrets.CONTRAST__API__API_KEY }}
+          CONTRAST__API__SERVICE_KEY: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
+          CONTRAST__API__ORGANIZATION_ID: ${{ secrets.CONTRAST__API__ORGANIZATION_ID }}
+        run: cd maven-plugin/ && ./mvnw --batch-mode -Pend-to-end-test verify

.github/workflows/build-sdk.yml

@@ -25,7 +25,7 @@ jobs:
       - name: Cache Maven Wrapper
         uses: actions/cache@v2
         with:
-          path: ./.mvn/wrapper/maven-wrapper.jar
+          path: cd sdk/ ./.mvn/wrapper/maven-wrapper.jar
           key: ${{ runner.os }}-maven-wrapper-${{ hashFiles('./.mvn/wrapper/maven-wrapper.properties') }}
           restore-keys: ${{ runner.os }}-maven-wrapper
 

.github/workflows/publish-maven-plugin.yml

@@ -0,0 +1,62 @@
+name: publish
+
+on:
+  workflow_dispatch:
+
+jobs:
+  publish:
+    permissions:
+      contents: write
+    environment: Maven Central
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: 11
+          distribution: temurin
+          server-id: ossrh
+          server-username: OSSRH_USERNAME
+          server-password: OSSRH_PASSWORD
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-passphrase: GPG_PASSPHRASE
+
+      - name: Cache Maven Wrapper
+        uses: actions/cache@v2
+        with:
+          path: cd maven-plugin/ && ./.mvn/wrapper/maven-wrapper.jar
+          key: ${{ runner.os }}-maven-wrapper-${{ hashFiles('./.mvn/wrapper/maven-wrapper.properties') }}
+          restore-keys: ${{ runner.os }}-maven-wrapper
+
+      - name: Cache Maven Repository
+        uses: actions/cache@v2
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-m2-repository-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-repository
+
+      # See https://github.com/actions/checkout/issues/13
+      - name: Configure Git User
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
+
+      - name: Maven Release (dry-run)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          cd maven-plugin/ && ./mvnw -DdryRun=true --batch-mode release:prepare release:perform -Dusername=$GITHUB_ACTOR -Dpassword=$GITHUB_TOKEN
+
+      - name: Maven Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          cd maven-plugin/ && ./mvnw --batch-mode release:prepare release:perform -Dusername=$GITHUB_ACTOR -Dpassword=$GITHUB_TOKEN

.github/workflows/publish.yml .github/workflows/publish-sdk.yml

@@ -1,5 +1,6 @@
 # Project
-/.idea
+*.private.env.json
+*.idea
 *.iml
 
 # Maven

.gitignore

@@ -1,80 +1,13 @@
-# Contrast Java SDK
+# Contrast SDK Repo
 
-[![javadoc](https://javadoc.io/badge2/com.contrastsecurity/contrast-sdk-java/javadoc.svg)](https://javadoc.io/doc/com.contrastsecurity/contrast-sdk-java)
-[![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.contrastsecurity/contrast-sdk-java/badge.svg)](https://maven-badges.herokuapp.com/maven-central/com.contrastsecurity/contrast-sdk-java)
+Root repository for the Contrast SDK, Contrast Gradle Plugin, and Contrast Maven Plugin
 
+Each sub-project is a standalone build, with their own maven/gradle builds.  
 
-This SDK gives you a quick start for programmatically accessing the [Contrast REST API](https://api.contrastsecurity.com/) using Java.
 
+[SDK](sdk/README.md)
 
-## Requirements
+[Maven Plugin](maven-plugin/README.md)
 
-* JDK 1.8
-* Contrast Account
 
 
-## How to use this SDK
-
-1. Add the
-   [contrast-sdk-java](https://search.maven.org/artifact/com.contrastsecurity/contrast-sdk-java)
-   dependency from Maven Central to your project.
-1. At a minimum, you will need to supply four basic connection parameters ([find them here](https://docs.contrastsecurity.com/en/personal-keys.html)):
-   * Username
-   * API Key
-   * Service Key
-   * Contrast REST API URL (e.g. https://app.contrastsecurity.com/Contrast/api)
-
-
-## Example
-
-```java
-ContrastSDK contrastSDK = new ContrastSDK.Builder("contrast_admin", "demo", "demo")
-        .withApiUrl("http://localhost:19080/Contrast/api")
-        .build();
-
-String orgUuid = contrastSDK.getProfileDefaultOrganizations().getOrganization().getOrgUuid();
-
-Applications apps = contrastSDK.getApplications(orgUuid);
-for (Application app : apps.getApplications()) {
-    System.out.println(app.getName() + " (" + app.getCodeShorthand() + " LOC)");
-}
-```
-
-Sample output:
-```
-Aneritx (48K LOC)
-Default Web Site (0k LOC)
-EnterpriseTPS (48K LOC)
-Feynmann (48K LOC)
-jhipster-sample (0k LOC)
-JSPWiki (48K LOC)
-Liferay (48K LOC)
-OpenMRS (65K LOC)
-OracleFS (48K LOC)
-Security Test (< 1K LOC)
-Ticketbook (2K LOC)
-WebGoat (48K LOC)
-WebGoat7 (106K LOC)
-```
-
-
-## Building
-
-Requires JDK 11 to build
-
-Use `./mvnw verify` to build and test changes to the project
-
-
-### Formatting
-
-To avoid distracting white space changes in pull requests and wasteful bickering
-about format preferences, Contrast uses the google-java-format opinionated Java
-code formatter to automatically format all code to a common specification.
-
-Developers are expected to configure their editors to automatically apply this
-format (plugins exist for both IDEA and Eclipse). Alternatively, developers can
-apply the formatting before committing changes using the Maven plugin:
-
-```shell
-./mvnw spotless:apply
-```

README.md

@@ -0,0 +1,117 @@
+/*
+ * Copyright 2007-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import java.net.*;
+import java.io.*;
+import java.nio.channels.*;
+import java.util.Properties;
+
+public class MavenWrapperDownloader {
+
+    private static final String WRAPPER_VERSION = "0.5.6";
+    /**
+     * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided.
+     */
+    private static final String DEFAULT_DOWNLOAD_URL = "https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/"
+        + WRAPPER_VERSION + "/maven-wrapper-" + WRAPPER_VERSION + ".jar";
+
+    /**
+     * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to
+     * use instead of the default one.
+     */
+    private static final String MAVEN_WRAPPER_PROPERTIES_PATH =
+            ".mvn/wrapper/maven-wrapper.properties";
+
+    /**
+     * Path where the maven-wrapper.jar will be saved to.
+     */
+    private static final String MAVEN_WRAPPER_JAR_PATH =
+            ".mvn/wrapper/maven-wrapper.jar";
+
+    /**
+     * Name of the property which should be used to override the default download url for the wrapper.
+     */
+    private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl";
+
+    public static void main(String args[]) {
+        System.out.println("- Downloader started");
+        File baseDirectory = new File(args[0]);
+        System.out.println("- Using base directory: " + baseDirectory.getAbsolutePath());
+
+        // If the maven-wrapper.properties exists, read it and check if it contains a custom
+        // wrapperUrl parameter.
+        File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH);
+        String url = DEFAULT_DOWNLOAD_URL;
+        if(mavenWrapperPropertyFile.exists()) {
+            FileInputStream mavenWrapperPropertyFileInputStream = null;
+            try {
+                mavenWrapperPropertyFileInputStream = new FileInputStream(mavenWrapperPropertyFile);
+                Properties mavenWrapperProperties = new Properties();
+                mavenWrapperProperties.load(mavenWrapperPropertyFileInputStream);
+                url = mavenWrapperProperties.getProperty(PROPERTY_NAME_WRAPPER_URL, url);
+            } catch (IOException e) {
+                System.out.println("- ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'");
+            } finally {
+                try {
+                    if(mavenWrapperPropertyFileInputStream != null) {
+                        mavenWrapperPropertyFileInputStream.close();
+                    }
+                } catch (IOException e) {
+                    // Ignore ...
+                }
+            }
+        }
+        System.out.println("- Downloading from: " + url);
+
+        File outputFile = new File(baseDirectory.getAbsolutePath(), MAVEN_WRAPPER_JAR_PATH);
+        if(!outputFile.getParentFile().exists()) {
+            if(!outputFile.getParentFile().mkdirs()) {
+                System.out.println(
+                        "- ERROR creating output directory '" + outputFile.getParentFile().getAbsolutePath() + "'");
+            }
+        }
+        System.out.println("- Downloading to: " + outputFile.getAbsolutePath());
+        try {
+            downloadFileFromURL(url, outputFile);
+            System.out.println("Done");
+            System.exit(0);
+        } catch (Throwable e) {
+            System.out.println("- Error downloading");
+            e.printStackTrace();
+            System.exit(1);
+        }
+    }
+
+    private static void downloadFileFromURL(String urlString, File destination) throws Exception {
+        if (System.getenv("MVNW_USERNAME") != null && System.getenv("MVNW_PASSWORD") != null) {
+            String username = System.getenv("MVNW_USERNAME");
+            char[] password = System.getenv("MVNW_PASSWORD").toCharArray();
+            Authenticator.setDefault(new Authenticator() {
+                @Override
+                protected PasswordAuthentication getPasswordAuthentication() {
+                    return new PasswordAuthentication(username, password);
+                }
+            });
+        }
+        URL website = new URL(urlString);
+        ReadableByteChannel rbc;
+        rbc = Channels.newChannel(website.openStream());
+        FileOutputStream fos = new FileOutputStream(destination);
+        fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE);
+        fos.close();
+        rbc.close();
+    }
+
+}

maven-plugin/.mvn/wrapper/MavenWrapperDownloader.java

@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.5/apache-maven-3.8.5-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar

maven-plugin/.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1,31 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
+
+## [2.13.2] - 2022-01-24
+### Changed
+- `install` and `verify` goals no longer require the `serverName` configuration parameter. The `serverName` configuration parameter can add stability to the `verify` goal for very active builds, but it is not strictly necessary nor desirable for most use cases.
+
+## [2.13.1] - 2021-08-31
+### Added
+- Contrast Scan support
+
+### Removed
+- `profile` configuration which the Contrast server has not supported since before 3.7.7.
+- support for JRE 1.7. Requires minimum JRE 1.8
+
+
+## [2.12] - 2021-03-09
+### Changed
+- Tested with JDK 1.8, 11, and 15
+- Targets JRE 1.7
+- Maven version > 3.6.1 (Released April 2019) is required to build the plugin
+
+
+## [2.0] - 2018-05-15
+### Added
+- Vulnerabilities now reconciled using an app version instead of a timestamp
+- App version can be generated using `$TRAVIS_BUILD_NUMBER` or `$CIRCLE_BUILD_NUM`
+- Source packaging changed to `com.contrastsecurity.maven.plugin`

maven-plugin/CHANGELOG.md

@@ -0,0 +1,14 @@
+Copyright 2021 Contrast Security, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+