search

jfrog / artifactory-gradle-plugin

JFrog Gradle plugin for Build Info extraction and Artifactory publishing.
Apache License 2.0
21 stars 15 forks source link

Add type="cpp" for build artifacts that are of native type #91

Closed enaess closed 7 months ago

enaess commented 10 months ago

Describe the bug

Create a new Gradle project with a few sub-projects

1) Project A applies the "cpp-library" plugin 2) Project B applies the "cpp-application" plugin, adds a dependency on project B

Add a few stub C++ code snippets, e.g. main() { cout << hello world << endl; } and call a function in the dependent library.

Apply the "com.jfrog.artifactory" plugin, add boiler plate artifactory publish configuration in root projects build.gradle and apply the artifactory plugin and "maven-publish" plugin in each sub-project. Run the ./gradlew artifactoryPublish task and confirm that you are able to publish the native artifacts to your artifactory server.

Enable publishing of build info:

artifactory {
    publish {
        ...
        setPublishBuildInfo(true)
   } 
}

Current behavior

Open up the build/build-info.json file, none of the dependencies you've added is specifying the type="cpp" for native builds. Even the gradle project may need to be of type "cpp".

By the way, build/build-info.json should be in the root project's target directory not in static "build/build-info.json". That in itself is also a bug

Reproduction steps

I could write you a gist to demonstrate that, but am out of time .

Expected behavior

When you publish the build-info to the artifactory server, the documentation says to search and replace both module's type="cpp" and dependency type="cpp" in order for X-Ray to detect the presence of native dependencies and to flag these as such.

Artifactory Gradle plugin version

5.1.10

Operating system type and version

Ubuntu 22.04

JFrog Artifactory version

7.41.14

Gradle version

7.6.2

enaess commented 9 months ago

I've added a project one can use to start troubleshooting this issue. It's available here:

You will need to add an appropriate artifactory url (other than artifactory.local), and then configure relevant local / remote repositories for the build to finally succeed. It should not need to pull down any other dependencies except for the "com.jfrog.artifactory" plugin.

Once you have that going, you publish a build to your artifactory instance by

./gradlew -PArtifactoryUsername="your-user-name-here" -PArtifactoryPassword="your token here" artifactoryPublish

This will successfully upload the library and application components. However, the type for the modules needs to be changed to "cpp" for both module and relevant dependencies. First then, the X-Ray SBOM will discover the components produced and list them on that page and also perform relevant security scans on the component w/dependencies.

We wish the "com.jfrog.artifactory" plugin to generate the appropriate build-info file, and apply the module/dependency's type field to cpp.

yahavi commented 9 months ago

Hey @enaess,

Appreciate your help in sorting this out. We made a pull request at https://github.com/jfrog/artifactory-gradle-plugin/pull/95 to tackle it. The idea is to set the module type as cpp if either the cpp-application or cpp-library plugins are applied in the project. If you come across any situations where this solution doesn't quite cover it, please let us know.

enaess commented 9 months ago

Will need to give it a spin after the holiday break.

yahavi commented 7 months ago

@enaess Gradle Artifactory plugin 5.2.0 has been released. In this version, you can set the module type manually:

artifactory {
    publish {
        defaults {
            moduleType = 'CPP'
        }
    }
}

And within the project scope:

artifactoryPublish {
    moduleType = 'CPP'
}

We'd appreciate your feedback on that.