refactor!: remove the automatic sbom generation feature for Java (#1145)

This PR removes the automatic SBOM generation feature for Java projects in Macaron.

Signed-off-by: behnazh-w <[email protected]>

Author: behnazh-w

Makefile

@@ -85,34 +85,19 @@ venv:
 # So we create the dist dir if it doesn't exist in the setup target.
 # See https://packaging.python.org/en/latest/tutorials/packaging-projects/#generating-distribution-archives.
 # We also install cyclonedx-go to generate SBOM for Go, compile the Go modules,
-# install SLSA verifier binary, download mvnw, and gradlew.
+# and install SLSA verifier binary.
 .PHONY: setup
 setup: force-upgrade setup-go setup-binaries setup-schemastore
 	pre-commit install
 	mkdir -p dist
 	go install github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected]
 setup-go:
 	go build -o $(PACKAGE_PATH)/bin/ $(REPO_PATH)/golang/cmd/...
-setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier $(PACKAGE_PATH)/resources/mvnw $(PACKAGE_PATH)/resources/gradlew souffle gnu-sed
+setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier souffle gnu-sed
 $(PACKAGE_PATH)/bin/slsa-verifier:
 	git clone --depth 1 https://github.com/slsa-framework/slsa-verifier.git -b v2.7.1
 	cd slsa-verifier/cli/slsa-verifier && go build -o $(PACKAGE_PATH)/bin/
 	cd $(REPO_PATH) && rm -rf slsa-verifier
-$(PACKAGE_PATH)/resources/mvnw:
-	cd $(PACKAGE_PATH)/resources \
-		&& wget https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper-distribution/3.1.1/maven-wrapper-distribution-3.1.1-bin.zip \
-		&& unzip -o maven-wrapper-distribution-3.1.1-bin.zip \
-		&& rm -r maven-wrapper-distribution-3.1.1-bin.zip \
-		&& echo -e "distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.6/apache-maven-3.8.6-bin.zip\nwrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.1/maven-wrapper-3.1.1.jar" > .mvn/wrapper/maven-wrapper.properties \
-		&& cd $(REPO_PATH)
-$(PACKAGE_PATH)/resources/gradlew:
-	cd $(PACKAGE_PATH)/resources \
-		&& export GRADLE_VERSION=7.6 \
-		&& wget https://services.gradle.org/distributions/gradle-$$GRADLE_VERSION-bin.zip \
-		&& unzip -o gradle-$$GRADLE_VERSION-bin.zip \
-		&& rm -r gradle-$$GRADLE_VERSION-bin.zip \
-		&& gradle-$$GRADLE_VERSION/bin/gradle wrapper \
-		&& cd $(REPO_PATH)
 setup-schemastore: $(PACKAGE_PATH)/resources/schemastore/github-workflow.json $(PACKAGE_PATH)/resources/schemastore/LICENSE $(PACKAGE_PATH)/resources/schemastore/NOTICE
 $(PACKAGE_PATH)/resources/schemastore/github-workflow.json:
 	cd $(PACKAGE_PATH)/resources \
@@ -236,7 +221,7 @@ setup-integration-test-utility-for-docker:
 # Generate a Software Bill of Materials (SBOM).
 .PHONY: sbom
 sbom: requirements
-	cyclonedx-py requirements --output-format json --outfile dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json
+	cyclonedx-py requirements --output-format json --output-file dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json
 	$$HOME/go/bin/cyclonedx-gomod mod -json -output dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom-go.json $(REPO_PATH)
 
 # Generate a requirements.txt file containing version and integrity hashes for all
@@ -433,11 +418,7 @@ clean: dist-clean bin-clean docs-clean
 nuke-caches: clean
 	find src/ -type d -name __pycache__ -exec rm -fr {} +
 	find tests/ -type d -name __pycache__ -exec rm -fr {} +
-nuke-mvnw:
-	cd $(PACKAGE_PATH)/resources \
-	&& rm mvnw mvnw.cmd mvnwDebug mvnwDebug.cmd \
-	&& cd $(REPO_PATH)
-nuke: nuke-caches nuke-mvnw
+nuke: nuke-caches
 	if [ ! -z "${VIRTUAL_ENV}" ]; then \
 	  echo "Please deactivate the virtual environment first!" && exit 1; \
 	fi

docker/Dockerfile.final

@@ -11,7 +11,7 @@
 # Note that the local machine must login to ghcr.io so that Docker could pull the ghcr.io/oracle/macaron-base
 # image for this build.
 
-FROM ghcr.io/oracle/macaron-base:latest@sha256:79b3b8b03cb9b6a124c6450f4baa58f96f83ee9e37f572c88a97597b35c7bc51
+FROM ghcr.io/oracle/macaron-base:latest@sha256:3b1f5ab197ee4429c598712bb8abb555a094e879f69e35439061777ac3bcb138
 
 ENV HOME="/home/macaron"
 

docker/user.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # We update the GID and UID of the existing macaron user in the container
@@ -16,35 +16,6 @@ else
     echo "Consider providing the GID and UID via the env variables USER_GID and USER_UID respectively."
 fi
 
-# Prepare settings.xml because
-# We mount .m2 dir to the host machine
-# We cannot copy those files while building the image
-# because they will be bypassed.
-if [[ ! -f "$HOME/.m2/settings.xml" ]] && [[ -n "$PACKAGE_PATH" ]];
-then
-    if [[ ! -d "$HOME/.m2" ]];
-    then
-        mkdir --parents "$HOME"/.m2
-    fi
-    cp "$PACKAGE_PATH"/resources/settings.xml "$HOME"/.m2/
-fi
-
-# Overwrite $HOME/.m2/settings.xml if the global settings.xml file is mounted from the host machine.
-if [[ -f "$HOME/settings.xml" ]];
-then
-    cp "$HOME/settings.xml" "$HOME/.m2/settings.xml"
-fi
-
-# Create $HOME/.gradle/gradle.properties if the global gradle.properties file is mounted from the host machine.
-if [[ ! -d "$HOME/.gradle" ]];
-then
-    mkdir --parents "$HOME"/.gradle
-fi
-if [[ -f "$HOME/gradle.properties" ]];
-then
-    cp "$HOME"/gradle.properties "$HOME/.gradle/gradle.properties"
-fi
-
 # Prepare the output directory. The output directory will be already existed
 # if we mount from the host machine.
 if [[ ! -d "$HOME/output" ]];
@@ -80,8 +51,6 @@ fi
 
 # The directory that could be mounted to the host machine file systems should
 # have the owner as the current user in the host machine.
-chown --recursive macaron:macaron "$HOME"/.m2
-chown --recursive macaron:macaron "$HOME"/.gradle
 chown --recursive macaron:macaron "$HOME"/output
 
 # Run the provided Macaron command with the user macaron.

docs/source/pages/developers_guide/apidoc/macaron.dependency_analyzer.rst

@@ -17,22 +17,6 @@ macaron.dependency\_analyzer.cyclonedx module
    :show-inheritance:
    :undoc-members:
 
-macaron.dependency\_analyzer.cyclonedx\_gradle module
------------------------------------------------------
-
-.. automodule:: macaron.dependency_analyzer.cyclonedx_gradle
-   :members:
-   :show-inheritance:
-   :undoc-members:
-
-macaron.dependency\_analyzer.cyclonedx\_mvn module
---------------------------------------------------
-
-.. automodule:: macaron.dependency_analyzer.cyclonedx_mvn
-   :members:
-   :show-inheritance:
-   :undoc-members:
-
 macaron.dependency\_analyzer.cyclonedx\_python module
 -----------------------------------------------------
 

docs/source/pages/developers_guide/apidoc/macaron.malware_analyzer.pypi_heuristics.metadata.rst

@@ -33,6 +33,14 @@ macaron.malware\_analyzer.pypi\_heuristics.metadata.empty\_project\_link module
    :show-inheritance:
    :undoc-members:
 
+macaron.malware\_analyzer.pypi\_heuristics.metadata.fake\_email module
+----------------------------------------------------------------------
+
+.. automodule:: macaron.malware_analyzer.pypi_heuristics.metadata.fake_email
+   :members:
+   :show-inheritance:
+   :undoc-members:
+
 macaron.malware\_analyzer.pypi\_heuristics.metadata.high\_release\_frequency module
 -----------------------------------------------------------------------------------
 
@@ -49,6 +57,14 @@ macaron.malware\_analyzer.pypi\_heuristics.metadata.one\_release module
    :show-inheritance:
    :undoc-members:
 
+macaron.malware\_analyzer.pypi\_heuristics.metadata.similar\_projects module
+----------------------------------------------------------------------------
+
+.. automodule:: macaron.malware_analyzer.pypi_heuristics.metadata.similar_projects
+   :members:
+   :show-inheritance:
+   :undoc-members:
+
 macaron.malware\_analyzer.pypi\_heuristics.metadata.source\_code\_repo module
 -----------------------------------------------------------------------------
 

docs/source/pages/installation.rst

@@ -119,23 +119,3 @@ You can run the following command to make sure the proxy settings are updated:
 .. code-block:: shell
 
   sudo systemctl show --property=Environment docker
-
-'''''''''''''''''''''''''''''''
-Maven and Gradle proxy settings
-'''''''''''''''''''''''''''''''
-
-Maven and Gradle do not use the system proxy settings. If the target software component (repository)
-is using either of these build tools, make sure to set up the following environment variables:
-
-.. code-block:: shell
-
-  export MAVEN_OPTS="-Dhttp.proxyHost=wwww-example-proxy -Dhttp.proxyPort=80 -Dhttps.proxyHost=wwww-example-proxy -Dhttps.proxyPort=80"
-  export GRADLE_OPTS="-Dhttp.proxyHost=wwww-example-proxy -Dhttp.proxyPort=80 -Dhttps.proxyHost=wwww-example-proxy -Dhttps.proxyPort=80"
-
-In addition, Macaron uses the global settings files for Maven and Gradle if present on the host machine and copies them to
-the Docker container. You can set up your proxy settings in the following files:
-
-* ``~/.m2/settings.xml``
-* ``~/.gradle/gradle.properties``
-
-See the `Maven <https://maven.apache.org/settings.html#proxies>`_ and `Gradle <https://docs.gradle.org/current/userguide/build_environment.html#sec:accessing_the_web_via_a_proxy>`_ documentations for more information on setting up proxies.

docs/source/pages/output_files.rst

@@ -20,8 +20,6 @@ Top level structure
 .. code-block::
 
     output/
-        ├── .gradle/
-        ├── .m2/
         ├── build_log/
         ├── git_repos/
         ├── reports/
@@ -182,18 +180,10 @@ This file stores the log messages from the latest run of Macaron.
 build_log
 ^^^^^^^^^
 
-This is the directory for storing the log from running external components such as `CycloneDx SBOM Maven plugin <https://github.com/CycloneDX/cyclonedx-maven-plugin>`_, `CycloneDx SBOM Gradle plugin <https://github.com/CycloneDX/cyclonedx-gradle-plugin>`_ or the `slsa-verifier <https://github.com/slsa-framework/slsa-verifier>`_.
+This is the directory for storing the log from running external components, such as `slsa-verifier <https://github.com/slsa-framework/slsa-verifier>`_.
 
 ^^^^^^^^^^^^^^^
 sbom_debug.json
 ^^^^^^^^^^^^^^^
 
 This file contain the debug information for running the SBOM generator to obtain dependencies of a repository.
-
-^^^^^^^^^^^^^^^
-.m2 and .gradle
-^^^^^^^^^^^^^^^
-
-These two directories cache the content of ``~/.m2`` and ``~/.gradle`` in the Docker container between different runs (which are
-mainly updated by the CycloneDX SBOM plugins).
-This will helps subsequent runs on the same target repository faster.

docs/source/pages/supported_technologies/index.rst

@@ -115,8 +115,6 @@ Automatic dependency resolution
 
 Currently, we support the following type of project for automatic dependency resolution.
 
-* Java Maven
-* Java Gradle
 * Python (with a Python virtual environment created and packages installed using Python3.11, see :ref:`providing Python virtual environment <python-venv-deps>`.)
 
 --------

docs/source/pages/tutorials/detect_malicious_java_dep.rst

@@ -66,11 +66,11 @@ Skip this section if you already know how to install Macaron.
 Run ``analyze`` command
 ***********************
 
-First, we need to run the ``analyze`` command of Macaron to run a number of :ref:`checks <checks>` and collect evidence for  ``example-maven-app`` and its dependencies.
+First, we need to run the ``analyze`` command of Macaron to run a number of :ref:`checks <checks>` and collect evidence for  ``example-maven-app`` and its dependencies. You need to generate the SBOM and provide it to Macaron. For more details see the instructions : :ref:`here <with-sbom>`.
 
 .. code-block:: shell
 
-  ./run_macaron.sh analyze -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar -rp https://github.com/behnazh-w/example-maven-app --deps-depth=1
+  ./run_macaron.sh analyze -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar -rp https://github.com/behnazh-w/example-maven-app --deps-depth=1 -sbom sbom.json
 
 .. note:: By default, Macaron clones the repositories and creates output files under the ``output`` directory. To understand the structure of this directory please see :ref:`Output Files Guide <output_files_guide>`.
 
@@ -98,7 +98,7 @@ As you can see, some of the checks are passing and some are failing. In summary,
 * but it is not deploying any artifacts automatically (``mcn_build_as_code_1``)
 * and no CI workflow runs are detected that automatically publish artifacts (``mcn_find_artifact_pipeline_1``)
 
-As you scroll down in the HTML report, you will see a section for the dependencies that were automatically identified:
+As you scroll down in the HTML report, you will see a section for the dependencies that were identified from the provided ``sbom.json``:
 
 .. _fig_example-maven-app-deps:
 

pyproject.toml

@@ -32,8 +32,8 @@ dependencies = [
     "packageurl-python >= 0.11.1,<1.0.0",
     "ruamel.yaml >= 0.18.6,<1.0.0",
     "jsonschema >= 4.22.0,<5.0.0",
-    "cyclonedx-bom >=4.0.0,<5.0.0",
-    "cyclonedx-python-lib[validation] >=7.3.4,<8.0.0",
+    "cyclonedx-bom >=7.0.0,<8.0.0",
+    "cyclonedx-python-lib[validation] >=8.0.0,<11.0.0",
     "beautifulsoup4 >= 4.12.0,<5.0.0",
     "problog >= 2.2.6,<3.0.0",
     "cryptography >=44.0.0,<45.0.0",
@@ -78,7 +78,7 @@ dev = [
     "types-jsonschema >=4.22.0,<5.0.0",
     "pip-audit >=2.5.6,<3.0.0",
     "pylint >=3.0.3,<4.0.0",
-    "cyclonedx-bom >=4.0.0,<5.0.0",
+    "cyclonedx-bom >=7.0.0,<8.0.0",
     "types-beautifulsoup4 >= 4.12.0,<5.0.0",
 ]
 docs = [
@@ -274,5 +274,7 @@ filterwarnings = [
     # https://docs.pytest.org/en/latest/how-to/failures.html#warning-about-unraisable-exceptions-and-unhandled-thread-exceptions
     "error::pytest.PytestUnraisableExceptionWarning",
     "error::pytest.PytestUnhandledThreadExceptionWarning",
+    # Remove the following when this issue is fixed: https://github.com/CycloneDX/cyclonedx-python-lib/issues/870
+    "ignore::DeprecationWarning:cyclonedx.model.tool",
     "error::DeprecationWarning:pkg_resources",
 ]