chore: add --deps-depth

Trong Nhan Mai · Trong Nhan Mai · commit 033a9910c599 · 2024-08-26T15:18:19.000+10:00
diff --git a/src/macaron/__main__.py b/src/macaron/__main__.py
@@ -153,10 +153,24 @@ def analyze_slsa_levels_single(analyzer_single_args: argparse.Namespace) -> None
             + "Dependency resolution is off by default. This flag will be removed soon."
         )
 
+    deps_depth = None
+    if analyzer_single_args.deps_depth == "inf":
+        deps_depth = -1
+    else:
+        try:
+            deps_depth = int(analyzer_single_args.deps_depth)
+        except ValueError:
+            logger.error("Please provide '1', '0' or 'inf' to `--deps-depth`")
+            sys.exit(os.EX_USAGE)
+
+    if deps_depth not in [-1, 0, 1]:
+        logger.error("Please provide '1', '0' or 'inf' to `--deps-depth`")
+        sys.exit(os.EX_USAGE)
+
     status_code = analyzer.run(
         run_config,
         analyzer_single_args.sbom_path,
-        analyzer_single_args.deps_resolution,
+        deps_depth,
         provenance_payload=prov_payload,
     )
     sys.exit(status_code)
@@ -422,11 +436,13 @@ def main(argv: list[str] | None = None) -> None:
     )
 
     single_analyze_parser.add_argument(
-        "--deps-resolution",
+        "--deps-depth",
         required=False,
-        action="store_true",
-        default=False,
-        help=("Perform dependency resolution and analysis."),
+        default="0",
+        help=(
+            "The depth of the dependency resolution. 0: disable, 1: direct dependencies, "
+            + "inf: all transitive dependencies. (Default: 0)"
+        ),
     )
 
     single_analyze_parser.add_argument(
diff --git a/src/macaron/config/defaults.ini b/src/macaron/config/defaults.ini
@@ -39,7 +39,6 @@ dep_tool_maven = cyclonedx-maven:2.6.2
 dep_tool_gradle = cyclonedx-gradle:1.7.4
 # This is the timeout (in seconds) to run the dependency resolver.
 timeout = 2400
-recursive = False
 # Determines whether the CycloneDX BOM file should be validated or not.
 validate = True
 # The CycloneDX schema version used for validation.
diff --git a/src/macaron/dependency_analyzer/cyclonedx.py b/src/macaron/dependency_analyzer/cyclonedx.py
@@ -138,7 +138,9 @@ def __init__(self, resources_path: str, file_name: str, tool_name: str, tool_ver
         self.visited_deps: set = set()
 
     @abstractmethod
-    def collect_dependencies(self, dir_path: str, target_component: Component) -> dict[str, DependencyInfo]:
+    def collect_dependencies(
+        self, dir_path: str, target_component: Component, recursive: bool = False
+    ) -> dict[str, DependencyInfo]:
         """Process the dependency JSON files and collect direct dependencies.
 
         Parameters
@@ -147,6 +149,8 @@ def collect_dependencies(self, dir_path: str, target_component: Component) -> di
             Local path to the target repo.
         target_component: Component
             The analyzed target software component.
+        recursive: bool
+            Set to False to get the direct dependencies only (default).
 
         Returns
         -------
@@ -349,14 +353,16 @@ def tool_valid(tool: str) -> bool:
         return True
 
     @staticmethod
-    def resolve_dependencies(main_ctx: Any, sbom_path: str) -> dict[str, DependencyInfo]:
+    def resolve_dependencies(main_ctx: Any, sbom_path: str, recursive: bool = False) -> dict[str, DependencyInfo]:
         """Resolve the dependencies of the main target repo.
 
         Parameters
         ----------
         main_ctx : Any (AnalyzeContext)
             The context of object of the target repository.
-        sbom_path: str
+        recursive : bool
+            If True, perform transitive dependency resolution. Default: False.
+        sbom_path : str
             The path to the SBOM.
 
         Returns
@@ -397,7 +403,11 @@ def resolve_dependencies(main_ctx: Any, sbom_path: str) -> dict[str, DependencyI
             if sbom_path:
                 logger.info("Getting the dependencies from the SBOM defined at %s.", sbom_path)
 
-                deps_resolved = dep_analyzer.get_deps_from_sbom(sbom_path, main_ctx.component)
+                deps_resolved = dep_analyzer.get_deps_from_sbom(
+                    sbom_path,
+                    main_ctx.component,
+                    recursive=recursive,
+                )
 
                 # Use repo finder to find more repositories to analyze.
                 if defaults.getboolean("repofinder", "find_repos"):
@@ -456,7 +466,11 @@ def resolve_dependencies(main_ctx: Any, sbom_path: str) -> dict[str, DependencyI
 
                 # We collect the generated SBOM as a best effort, even if the build exits with errors.
                 # TODO: add improvements to help the SBOM build succeed as much as possible.
-                deps_resolved |= dep_analyzer.collect_dependencies(str(working_dir), main_ctx.component)
+                deps_resolved |= dep_analyzer.collect_dependencies(
+                    str(working_dir),
+                    main_ctx.component,
+                    recursive=recursive,
+                )
 
             logger.info("Stored dependency resolver log for %s to %s.", dep_analyzer.tool_name, log_path)
 
@@ -719,7 +733,9 @@ def convert_components_to_artifacts(
 
         return latest_deps
 
-    def get_deps_from_sbom(self, sbom_path: str | Path, target_component: Component) -> dict[str, DependencyInfo]:
+    def get_deps_from_sbom(
+        self, sbom_path: str | Path, target_component: Component, recursive: bool = False
+    ) -> dict[str, DependencyInfo]:
         """Get the dependencies from a provided SBOM.
 
         Parameters
@@ -728,6 +744,8 @@ def get_deps_from_sbom(self, sbom_path: str | Path, target_component: Component)
             The path to the SBOM file.
         target_component: Component
             The analyzed target software component.
+        recursive: bool
+            Set to False to get the direct dependencies only (default).
 
         Returns
         -------
@@ -737,11 +755,7 @@ def get_deps_from_sbom(self, sbom_path: str | Path, target_component: Component)
             self.get_dep_components(
                 target_component=target_component,
                 root_bom_path=Path(sbom_path),
-                recursive=defaults.getboolean(
-                    "dependency.resolver",
-                    "recursive",
-                    fallback=False,
-                ),
+                recursive=recursive,
             )
         )
 
@@ -753,7 +767,9 @@ def __init__(self) -> None:
         """Initialize the dependency analyzer instance."""
         super().__init__(resources_path="", file_name="", tool_name="", tool_version="")
 
-    def collect_dependencies(self, dir_path: str, target_component: Component) -> dict[str, DependencyInfo]:
+    def collect_dependencies(
+        self, dir_path: str, target_component: Component, recursive: bool = False
+    ) -> dict[str, DependencyInfo]:
         """Process the dependency JSON files and collect direct dependencies.
 
         Parameters
@@ -762,6 +778,8 @@ def collect_dependencies(self, dir_path: str, target_component: Component) -> di
             Local path to the target repo.
         target_component: Component
             The analyzed target software component.
+        recursive: bool
+            Set to False to get the direct dependencies only (default).
 
         Returns
         -------
diff --git a/src/macaron/dependency_analyzer/cyclonedx_gradle.py b/src/macaron/dependency_analyzer/cyclonedx_gradle.py
@@ -15,7 +15,6 @@
 from cyclonedx.model.component import Component as CDXComponent
 from packageurl import PackageURL
 
-from macaron.config.defaults import defaults
 from macaron.database.table_definitions import Component
 from macaron.dependency_analyzer.cyclonedx import DependencyAnalyzer, DependencyInfo
 
@@ -47,7 +46,12 @@ def get_cmd(self) -> list:
             "cyclonedxBom",
         ]
 
-    def collect_dependencies(self, dir_path: str, target_component: Component) -> dict[str, DependencyInfo]:
+    def collect_dependencies(
+        self,
+        dir_path: str,
+        target_component: Component,
+        recursive: bool = False,
+    ) -> dict[str, DependencyInfo]:
         """Process the dependency JSON files and collect direct dependencies.
 
         Parameters
@@ -56,6 +60,8 @@ def collect_dependencies(self, dir_path: str, target_component: Component) -> di
             Local path to the target repo.
         target_component: Component
             The analyzed target software component.
+        recursive: bool
+            Set to False to get the direct dependencies only (default).
 
         Returns
         -------
@@ -82,11 +88,7 @@ def collect_dependencies(self, dir_path: str, target_component: Component) -> di
             target_component,
             top_path,
             child_paths,
-            recursive=defaults.getboolean(
-                "dependency.resolver",
-                "recursive",
-                fallback=False,
-            ),
+            recursive=recursive,
         )
         return self.convert_components_to_artifacts(components, root_component)
 
diff --git a/src/macaron/dependency_analyzer/cyclonedx_mvn.py b/src/macaron/dependency_analyzer/cyclonedx_mvn.py
@@ -15,7 +15,6 @@
 from cyclonedx.model.component import Component as CDXComponent
 from packageurl import PackageURL
 
-from macaron.config.defaults import defaults
 from macaron.database.table_definitions import Component
 from macaron.dependency_analyzer.cyclonedx import DependencyAnalyzer, DependencyInfo
 
@@ -47,7 +46,12 @@ def get_cmd(self) -> list:
             "includeTestScope=true",
         ]
 
-    def collect_dependencies(self, dir_path: str, target_component: Component) -> dict[str, DependencyInfo]:
+    def collect_dependencies(
+        self,
+        dir_path: str,
+        target_component: Component,
+        recursive: bool = False,
+    ) -> dict[str, DependencyInfo]:
         """Process the dependency JSON files and collect direct dependencies.
 
         We allow the dependency JSON files to be accepted as long as there is only one JSON file in the target
@@ -63,6 +67,8 @@ def collect_dependencies(self, dir_path: str, target_component: Component) -> di
             Local path to the target repo.
         target_component: Component
             The analyzed target software component.
+        recursive: bool
+            Set to False to get the direct dependencies only (default).
 
         Returns
         -------
@@ -111,11 +117,7 @@ def collect_dependencies(self, dir_path: str, target_component: Component) -> di
             target_component,
             top_path,
             child_paths,
-            recursive=defaults.getboolean(
-                "dependency.resolver",
-                "recursive",
-                fallback=False,
-            ),
+            recursive=recursive,
         )
         return self.convert_components_to_artifacts(components, root_component)
 
diff --git a/src/macaron/dependency_analyzer/cyclonedx_python.py b/src/macaron/dependency_analyzer/cyclonedx_python.py
@@ -14,7 +14,6 @@
 from cyclonedx.model.component import Component as CDXComponent
 from packageurl import PackageURL
 
-from macaron.config.defaults import defaults
 from macaron.config.global_config import global_config
 from macaron.database.table_definitions import Component
 from macaron.dependency_analyzer.cyclonedx import DependencyAnalyzer, DependencyInfo
@@ -50,7 +49,12 @@ def get_cmd(self) -> list:
             os.path.join(global_config.output_path, self.file_name),
         ]
 
-    def collect_dependencies(self, dir_path: str, target_component: Component) -> dict[str, DependencyInfo]:
+    def collect_dependencies(
+        self,
+        dir_path: str,
+        target_component: Component,
+        recursive: bool = False,
+    ) -> dict[str, DependencyInfo]:
         """Process the dependency JSON files and collect dependencies.
 
         Parameters
@@ -59,6 +63,8 @@ def collect_dependencies(self, dir_path: str, target_component: Component) -> di
             Local path to the target repo.
         target_component: Component
             The analyzed target software component.
+        recursive: bool
+            Set to False to get the direct dependencies only (default).
 
         Returns
         -------
@@ -69,11 +75,7 @@ def collect_dependencies(self, dir_path: str, target_component: Component) -> di
             self.get_dep_components(
                 target_component=target_component,
                 root_bom_path=Path(global_config.output_path, self.file_name),
-                recursive=defaults.getboolean(
-                    "dependency.resolver",
-                    "recursive",
-                    fallback=False,
-                ),
+                recursive=recursive,
             )
         )
 
diff --git a/src/macaron/slsa_analyzer/analyzer.py b/src/macaron/slsa_analyzer/analyzer.py
@@ -130,7 +130,7 @@ def run(
         self,
         user_config: dict,
         sbom_path: str = "",
-        dependencies: bool = False,
+        deps_depth: int = 0,
         provenance_payload: InTotoPayload | None = None,
     ) -> int:
         """Run the analysis and write results to the output path.
@@ -144,8 +144,8 @@ def run(
             The dictionary that contains the user config parsed from the yaml file.
         sbom_path : str
             The path to the SBOM.
-        dependencies : bool
-            Flag to enable dependency resolution. False by default.
+        deps_depth : int
+            The depth of dependency resolution. Default: 0.
         provenance_payload : InToToPayload | None
             The provenance intoto payload for the main software component.
 
@@ -187,11 +187,26 @@ def run(
                     logger.info("Analysis has failed.")
                     return os.EX_DATAERR
 
-                # Run the chosen dependency analyzer plugin.
-                if not dependencies:
+                if deps_depth == 0:
                     logger.info("Skipping automatic dependency analysis...")
+                elif deps_depth == 1:
+                    # Run the chosen dependency analyzer plugin on direct dependencies.
+                    deps_resolved = DependencyAnalyzer.resolve_dependencies(
+                        main_record.context,
+                        sbom_path,
+                        recursive=False,
+                    )
+                elif deps_depth == -1:
+                    # Run the chosen dependency analyzer plugin on transitive dependencies.
+                    deps_resolved = DependencyAnalyzer.resolve_dependencies(
+                        main_record.context,
+                        sbom_path,
+                        recursive=True,
+                    )
                 else:
-                    deps_resolved = DependencyAnalyzer.resolve_dependencies(main_record.context, sbom_path)
+                    # Can't reach here.
+                    logger.critical("Expecting deps depth to be '0', '1' or '-1', got %s", deps_depth)
+                    return os.EX_USAGE
 
                 # Merge the automatically resolved dependencies with the manual configuration.
                 deps_config = DependencyAnalyzer.merge_configs(deps_config, deps_resolved)
diff --git a/tests/integration/cases/apache_maven_cyclonedx_sbom_tutorial/test.yaml b/tests/integration/cases/apache_maven_cyclonedx_sbom_tutorial/test.yaml
@@ -15,7 +15,7 @@ steps:
     command_args:
     - -purl
     - pkg:maven/org.apache.maven/maven@3.9.7?type=pom
-    - --deps-resolution
+    - --deps-depth=1
     sbom: sbom.json
 - name: Compare dependencies report.
   kind: compare
diff --git a/tests/integration/cases/apache_maven_local_path_with_branch_name_digest_deps_cyclonedx_maven/test.yaml b/tests/integration/cases/apache_maven_local_path_with_branch_name_digest_deps_cyclonedx_maven/test.yaml
@@ -27,7 +27,7 @@ steps:
     - master
     - -d
     - 3fc399318edef0d5ba593723a24fff64291d6f9b
-    - --deps-resolution
+    - --deps-depth=1
 - name: Compare deps report
   kind: compare
   options:
diff --git a/tests/integration/cases/apache_maven_repo_path_branch_digest_with_deps_cyclonedx_maven/test.yaml b/tests/integration/cases/apache_maven_repo_path_branch_digest_with_deps_cyclonedx_maven/test.yaml
@@ -20,7 +20,7 @@ steps:
     - master
     - -d
     - 3fc399318edef0d5ba593723a24fff64291d6f9b
-    - --deps-resolution
+    - --deps-depth=1
 - name: Compare deps report
   kind: compare
   options:
diff --git a/tests/integration/cases/apache_maven_sbom/test.yaml b/tests/integration/cases/apache_maven_sbom/test.yaml
@@ -21,7 +21,7 @@ steps:
     - master
     - -d
     - 3fc399318edef0d5ba593723a24fff64291d6f9b
-    - --deps-resolution
+    - --deps-depth=1
     sbom: sbom.json
 - name: Compare dependency report
   kind: compare
diff --git a/tests/integration/cases/apache_maven_sbom_no_repo_tutorial/test.yaml b/tests/integration/cases/apache_maven_sbom_no_repo_tutorial/test.yaml
@@ -15,7 +15,7 @@ steps:
     command_args:
     - -purl
     - pkg:maven/private.apache.maven/maven@4.0.0-alpha-1-SNAPSHOT?type=pom
-    - --deps-resolution
+    - --deps-depth=1
     sbom: sbom.json
 - name: Compare dependencies report.
   kind: compare
diff --git a/tests/integration/cases/apache_maven_yaml_input_with_dep_resolution/test.yaml b/tests/integration/cases/apache_maven_yaml_input_with_dep_resolution/test.yaml
diff --git a/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/django_venv/lib64 b/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/django_venv/lib64
diff --git a/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/test.yaml b/tests/integration/cases/django_with_dep_resolution_virtual_env_as_input/test.yaml
diff --git a/tests/integration/cases/example_maven_app_automatic_dep_resolution_tutorial/test.yaml b/tests/integration/cases/example_maven_app_automatic_dep_resolution_tutorial/test.yaml
diff --git a/tests/integration/cases/timyarkov_multibuild_test_gradle/test.yaml b/tests/integration/cases/timyarkov_multibuild_test_gradle/test.yaml
