Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.
This PR adds functionality to millhone for analyzing a container tar file for Jars and reporting fingerprints. It is a lightly adapted version of code we already had in another project. It isn't really set up yet to fingerprint arbitrary jars but should be adaptable for that purpose quite easily.
I am going to stack a couple PRs. This one is just the Rust side of things. For a review, I'm mainly looking for a sanity check on what I have so far.
Acceptance criteria
This isn't missing any obvious piece of data that you think we will need or has egregious problems.
Testing plan
My testing has been manual so far. I've tested with the following images: cassandra, jetty, gradle, and quay.io/keycloak/keycloak:25.0.1.
To test with an image from the root cli directory:
docker pull quay.io/keycloak/keycloak:25.0.1
docker save quay.io/keycloak/keycloak:25.0.1 > keycloak.tar
cargo run --bin millhone -- --log-to stderr analyze-jars keycloak.tar | jless
Note that this will take a bit of time as written. Building with --release significantly improves performance for this operation so that shouldn't be concern.
For now, I haven't added an automated test because I want to try to get everything working manually end-to-end with the CLI.
Risks
None. This is new functionality and doesn't touch any existing Millhone work.
[x] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
[x] If this PR introduced a user-visible change, I added documentation into docs/.
[x] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
[x] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
[x] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
[x] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.
Overview
This PR adds functionality to millhone for analyzing a container tar file for Jars and reporting fingerprints. It is a lightly adapted version of code we already had in another project. It isn't really set up yet to fingerprint arbitrary jars but should be adaptable for that purpose quite easily.
I am going to stack a couple PRs. This one is just the Rust side of things. For a review, I'm mainly looking for a sanity check on what I have so far.
Acceptance criteria
Testing plan
My testing has been manual so far. I've tested with the following images:
cassandra,jetty,gradle, andquay.io/keycloak/keycloak:25.0.1.To test with an image from the root cli directory:
Note that this will take a bit of time as written. Building with
--releasesignificantly improves performance for this operation so that shouldn't be concern.For now, I haven't added an automated test because I want to try to get everything working manually end-to-end with the CLI.
Risks
None. This is new functionality and doesn't touch any existing Millhone work.
Metrics
References
ANE-1711
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an# Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.