Fix .jar analysis via Syft & Grype

bjk7119 · bjk7119 · commit 2aa4fce9de84 · 2025-09-12T15:05:34.000+09:00
diff --git a/.reuse/dep5 b/.reuse/dep5
@@ -57,3 +57,7 @@ License: Apache-2.0
 Files: .bumpversion.cfg
 Copyright: 2021 LG Electronics
 License: Apache-2.0
+
+Files: src/fosslight_binary/__init__.py
+Copyright: 
+License: Apache-2.0
diff --git a/requirements.txt b/requirements.txt
@@ -9,4 +9,3 @@ pytz
 XlsxWriter
 PyYAML
 fosslight_util>=2.1.13
-dependency-check
diff --git a/setup.py b/setup.py
@@ -6,6 +6,21 @@
 import os
 import shutil
 from setuptools import setup, find_packages
+from setuptools.command.install import install
+
+class PostInstallCommand(install):
+    """Post-installation for installation mode."""
+    def run(self):
+        install.run(self)
+        # Install syft and grype after package installation
+        try:
+            from src.fosslight_binary._jar_analysis import ensure_syft_grype
+            print("Installing syft and grype...")
+            ensure_syft_grype()
+            print("Syft and grype installation completed.")
+        except Exception as e:
+            print(f"Warning: Failed to auto-install syft/grype: {e}")
+            print("You can install them manually or they will be installed on first use.")
 
 with open('README.md', 'r', 'utf-8') as f:
     readme = f.read()
@@ -63,6 +78,9 @@
         },
         package_data={_PACKAEG_NAME: [os.path.join(_LICENSE_DIR, '*')]},
         include_package_data=True,
+        cmdclass={
+            'install': PostInstallCommand,
+        },
         entry_points={
             "console_scripts": [
                 "binary_analysis = fosslight_binary.cli:main",
diff --git a/src/fosslight_binary/__init__.py b/src/fosslight_binary/__init__.py
@@ -0,0 +1,19 @@
+# Auto-install syft and grype on first import
+import logging
+import os
+
+logger = logging.getLogger(__name__)
+
+def _auto_install_dependencies():
+    """Auto-install syft and grype if not available"""
+    try:
+        from ._jar_analysis import ensure_syft_grype
+        # Only try to install if we're not in a restricted environment
+        if not os.environ.get('FOSSLIGHT_SKIP_AUTO_INSTALL'):
+            ensure_syft_grype()
+    except Exception as ex:
+        # Don't fail package import if auto-install fails
+        logger.debug(f"Auto-install failed (this is not critical): {ex}")
+
+# Run auto-install on import
+_auto_install_dependencies()
diff --git a/src/fosslight_binary/_jar_analysis.py b/src/fosslight_binary/_jar_analysis.py
diff --git a/src/fosslight_binary/binary_analysis.py b/src/fosslight_binary/binary_analysis.py
