Use pom-operator, Take 2 (pixee#16)

aldrinleal · Jacoco Coverage Update Action · web-flow · commit fe74bda53e93 · 2023-01-14T10:57:58.000-05:00
* Implements pom-operator
 * Codifies formatting rules for `pom.xml` in `.editorconfig`

Co-authored-by: Jacoco Coverage Update Action &lt;pixee@users.noreply.github.com&gt;
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,16 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+# Set default charset
+[*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8
+
+# 4 space indentation
+[*.xml]
+indent_style = space
+indent_size = 2
diff --git a/.github/badges/branches.svg b/.github/badges/branches.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="106" height="20" role="img" aria-label="branches: 70.8%"><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="106" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="61" height="20" fill="#555"/><rect x="61" width="45" height="20" fill="#dfb317"/><rect width="106" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="315" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="507">branches</text><text x="315" y="140" transform="scale(.1)" fill="#fff" textLength="507">branches</text><text aria-hidden="true" x="825" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="350">70.8%</text><text x="825" y="140" transform="scale(.1)" fill="#fff" textLength="350">70.8%</text></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="106" height="20" role="img" aria-label="branches: 71.3%"><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="106" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="61" height="20" fill="#555"/><rect x="61" width="45" height="20" fill="#dfb317"/><rect width="106" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="315" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="507">branches</text><text x="315" y="140" transform="scale(.1)" fill="#fff" textLength="507">branches</text><text aria-hidden="true" x="825" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="350">71.3%</text><text x="825" y="140" transform="scale(.1)" fill="#fff" textLength="350">71.3%</text></g></svg>
diff --git a/.github/badges/jacoco.svg b/.github/badges/jacoco.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="106" height="20" role="img" aria-label="coverage: 90.1%"><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="106" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="61" height="20" fill="#555"/><rect x="61" width="45" height="20" fill="#97ca00"/><rect width="106" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="315" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="510">coverage</text><text x="315" y="140" transform="scale(.1)" fill="#fff" textLength="510">coverage</text><text aria-hidden="true" x="825" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="350">90.1%</text><text x="825" y="140" transform="scale(.1)" fill="#fff" textLength="350">90.1%</text></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="106" height="20" role="img" aria-label="coverage: 90.3%"><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="106" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="61" height="20" fill="#555"/><rect x="61" width="45" height="20" fill="#97ca00"/><rect width="106" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="315" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="510">coverage</text><text x="315" y="140" transform="scale(.1)" fill="#fff" textLength="510">coverage</text><text aria-hidden="true" x="825" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="350">90.3%</text><text x="825" y="140" transform="scale(.1)" fill="#fff" textLength="350">90.3%</text></g></svg>
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -2,29 +2,40 @@ name: Java CI
 
 on: [push]
 
+env:
+  MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2"
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v2
+
       - name: "Set up JDK 11"
         uses: actions/setup-java@v2
         with:
           java-version: '11'
           distribution: 'adopt'
 
+      - name: Set up Maven
+        uses: stCarolas/setup-maven@v4.4
+        with:
+          maven-version: 3.8.2
+
       - name: "Setting up Artifactory authentication"
         uses: s4u/maven-settings-action@v2
         with:
-          servers: '[{"id": "central", "username": "${env.ARTIFACTORY_USER}", "password": "${env.ARTIFACTORY_TOKEN}"}]'
+          servers: |
+            [
+              {"id": "pixee-libs-release", "username": "${{ secrets.ARTIFACTORY_USER }}", "password": "${{ secrets.ARTIFACTORY_TOKEN }}"},
+              {"id": "pixee-libs-snapshot", "username": "${{ secrets.ARTIFACTORY_USER }}", "password": "${{ secrets.ARTIFACTORY_TOKEN }}"}
+            ]
           githubServer: false
 
       - name: "Build with Maven"
-        env:
-          ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }}
-          ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
-        run: mvn --batch-mode --update-snapshots -Pci verify
+        run: |
+          mvn --batch-mode --update-snapshots -Pci verify
 
       - name: "Generate Coverage Badge"
         id: jacoco
diff --git a/.gitignore b/.gitignore
@@ -27,4 +27,8 @@ hs_err_pid*
 
 target/
 
-dependency-reduced-pom.xml
+dependency-reduced-pom.xml
+
+.secrets
+
+output-*.txt
diff --git a/pom.xml b/pom.xml
@@ -91,6 +91,11 @@
       <artifactId>java-security-toolkit</artifactId>
       <version>${versions.jst}</version>
     </dependency>
+    <dependency>
+      <groupId>io.openpixee</groupId>
+      <artifactId>java-security-toolkit-xstream</artifactId>
+      <version>${versions.jst-xstream}</version>
+    </dependency>
     <dependency>
       <groupId>io.github.pixee</groupId>
       <artifactId>codetf-java</artifactId>
diff --git a/src/main/java/io/openpixee/java/CodeTFReportGenerator.java b/src/main/java/io/openpixee/java/CodeTFReportGenerator.java
@@ -146,8 +146,11 @@ private List<CodeTFResult> toCodeTFResults(
                             weave.changeCode(),
                             "fill description for " + weave.changeCode()))
                 .collect(Collectors.toList());
-        CodeTFResult result = new CodeTFResult(path, diff, changes);
-        codetfResults.add(result);
+
+        if (StringUtils.isNotBlank(diff)) {
+          CodeTFResult result = new CodeTFResult(path, diff, changes);
+          codetfResults.add(result);
+        }
       }
       return Collections.unmodifiableList(codetfResults);
     }
diff --git a/src/main/java/io/openpixee/java/protections/DependencyInjectingVisitor.java b/src/main/java/io/openpixee/java/protections/DependencyInjectingVisitor.java
@@ -10,40 +10,27 @@
 import io.openpixee.java.FileWeavingContext;
 import io.openpixee.java.Weave;
 import io.openpixee.java.WeavingResult;
+import io.openpixee.maven.operator.POMOperator;
+import io.openpixee.maven.operator.ProjectModel;
+import io.openpixee.maven.operator.ProjectModelFactory;
 import java.io.*;
-import java.nio.charset.StandardCharsets;
+import java.nio.charset.Charset;
 import java.nio.file.Files;
 import java.util.*;
 import java.util.stream.Collectors;
-import javax.xml.transform.*;
-import javax.xml.transform.stream.StreamResult;
-import javax.xml.transform.stream.StreamSource;
-import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
-import org.apache.maven.model.Dependency;
-import org.apache.maven.model.Model;
-import org.apache.maven.model.io.xpp3.MavenXpp3Reader;
-import org.apache.maven.model.io.xpp3.MavenXpp3Writer;
-import org.codehaus.plexus.util.xml.pull.XmlPullParserException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
  * This is an important default weaver that will inject the dependencies that the weaves require.
  */
 public final class DependencyInjectingVisitor implements FileBasedVisitor {
-
-  private final PomRewriterStrategy pomRewriterStrategy;
   private final WeavingResult emptyWeaveResult;
   private boolean scanned;
   private Map<File, Set<DependencyGAV>> pomsToUpdate;
 
   public DependencyInjectingVisitor() {
-    this(new MavenXpp3RewriterStrategy());
-  }
-
-  DependencyInjectingVisitor(PomRewriterStrategy pomRewriterStrategy) {
-    this.pomRewriterStrategy = Objects.requireNonNull(pomRewriterStrategy);
     this.emptyWeaveResult =
         WeavingResult.createDefault(Collections.emptySet(), Collections.emptySet());
     this.scanned = false;
@@ -55,87 +42,6 @@ public String ruleId() {
     return pomInjectionRuleId;
   }
 
-  /**
-   * There are many different ways we could choose to rewrite the POM to contain our dependency.
-   * There are many tradeoffs between them as to version coverage, accuracy, robustness,
-   * "disruptiveness" of the patch, etc., so we keep multiple strategies around until we probably
-   * have to hand-develop a solution that ticks all our boxes.
-   */
-  public interface PomRewriterStrategy {
-    /**
-     * Given a model of the POM, and the string contents itself, return the String version of the
-     * POM, rewritten to contain our dependency.
-     */
-    String rewritePom(String pomContentsAsString, Model model) throws IOException;
-  }
-
-  /**
-   * {@inheritDoc}
-   *
-   * <p>Uses the {@link MavenXpp3Writer} to rewrite the {@link Model} with our dependency added in.
-   */
-  public static class MavenXpp3RewriterStrategy implements PomRewriterStrategy {
-    @Override
-    public String rewritePom(final String pomContentsAsString, final Model model)
-        throws IOException {
-      var writer = new MavenXpp3Writer();
-      var rewrittenPom = new StringWriter();
-      writer.write(rewrittenPom, model);
-      return rewrittenPom.toString();
-    }
-  }
-
-  /**
-   * {@inheritDoc}
-   *
-   * <p>Uses an XSLT transformation to convert the POM to inject the dependency.
-   *
-   * <p>TODO: This doesn't work yet -- the XSL needs some love. It only correctly injects a new
-   * dependencies block when there is none.
-   */
-  public static class XslTransformingStrategy implements PomRewriterStrategy {
-
-    @Override
-    public String rewritePom(final String pomContentsAsString, final Model model)
-        throws IOException {
-      var factory = TransformerFactory.newInstance();
-      var injectionXsl =
-          IOUtils.toString(
-              new InputStreamReader(
-                  Objects.requireNonNull(
-                      getClass().getResourceAsStream("/inject-dependency.xsl"),
-                      "dependency injection xsl not found")));
-      var xslt = new StreamSource(new StringReader(injectionXsl));
-      try {
-        var transformer = factory.newTransformer(xslt);
-        var text = new StreamSource(new StringReader(pomContentsAsString));
-        var sw = new StringWriter();
-        transformer.transform(text, new StreamResult(sw));
-        final String dependenciesBlock =
-            createDependency(projectGroup, projectArtifactId, projectVersion);
-        var transformedText = sw.toString();
-        transformedText = transformedText.replace("%PIXEE_DEPENDENCY_INFO%", dependenciesBlock);
-        return transformedText;
-      } catch (TransformerException e) {
-        throw new IOException(e);
-      }
-    }
-
-    private String createDependency(
-        final String group, final String artifact, final String version) {
-      StringBuilder sb = new StringBuilder();
-      sb.append(nl);
-      sb.append("    <dependencies>").append(nl);
-      sb.append("      <dependency>").append(nl);
-      sb.append("        <groupId>").append(group).append("</groupId>").append(nl);
-      sb.append("        <artifactId>").append(artifact).append("</artifactId>").append(nl);
-      sb.append("        <version>").append(version).append("</version>").append(nl);
-      sb.append("      </dependency>").append(nl);
-      sb.append("    </dependencies>").append(nl);
-      return sb.toString();
-    }
-  }
-
   @Override
   public WeavingResult visitRepositoryFile(
       final File repositoryRoot,
@@ -211,65 +117,70 @@ private Map<File, Set<DependencyGAV>> scan(
 
   @VisibleForTesting
   ChangedFile transformPomIfNeeded(final File file, final Set<DependencyGAV> dependenciesToAdd)
-      throws IOException, XmlPullParserException {
-    var pomContents = IOUtils.toString(new FileReader(file));
-    var reader = new MavenXpp3Reader();
-    var model = reader.read(new StringReader(pomContents));
-
-    boolean addedDependencies = false;
-    for (final DependencyGAV dependencyToAdd : dependenciesToAdd) {
-      var hasDependencyAlready =
-          model.getDependencies().stream()
-              .anyMatch(
-                  dep ->
-                      dependencyToAdd.group().equals(dep.getGroupId())
-                          && dependencyToAdd.artifact().equals(dep.getArtifactId()));
-
-      if (!hasDependencyAlready) {
-        LOG.debug("Adding dependency {}:{}", dependencyToAdd.group(), dependencyToAdd.artifact());
-        addedDependencies = true;
-        var dependency = new Dependency();
-        dependency.setArtifactId(dependencyToAdd.artifact());
-        dependency.setGroupId(dependencyToAdd.group());
-        dependency.setVersion(dependencyToAdd.version());
-        model.addDependency(dependency);
-      } else {
-        LOG.debug(
-            "Not weaving pom since it contained dependency {}:{}",
-            dependencyToAdd.group(),
-            dependencyToAdd.artifact());
-      }
-    }
-
-    if (!addedDependencies) {
-      LOG.debug("No new dependencies needed");
+      throws IOException {
+    /*
+     * Short-circuit things
+     */
+    if (null == dependenciesToAdd || dependenciesToAdd.isEmpty()) {
       return null;
     }
 
-    var rewrittenPomContents = pomRewriterStrategy.rewritePom(pomContents, model);
+    List<io.openpixee.maven.operator.Dependency> mappedDependencies =
+        dependenciesToAdd.stream()
+            .map(
+                dependencyGAV ->
+                    new io.openpixee.maven.operator.Dependency(
+                        dependencyGAV.group(),
+                        dependencyGAV.artifact(),
+                        dependencyGAV.version(),
+                        null,
+                        null,
+                        null))
+            .collect(Collectors.toList());
+
+    var originalPomContents =
+        IOUtils.readLines(new FileInputStream(file), Charset.defaultCharset());
+
+    final File lastPomFile = File.createTempFile("pom", ".xml");
+
+    IOUtils.copy(new FileInputStream(file), new FileOutputStream(lastPomFile));
+
+    mappedDependencies.forEach(
+        newDependency -> {
+          ProjectModel projectModel =
+              ProjectModelFactory.load(lastPomFile)
+                  .withDependency(newDependency)
+                  .withOverrideIfAlreadyExists(true)
+                  .withSkipIfNewer(true)
+                  .withUseProperties(true)
+                  .build();
+
+          boolean result = POMOperator.modify(projectModel);
+
+          if (result) {
+            try {
+              IOUtils.write(projectModel.getResultPom().asXML(), new FileOutputStream(lastPomFile));
+            } catch (IOException e) {
+              throw new RuntimeException(e);
+            }
+          }
+        });
 
-    File modifiedPom = File.createTempFile("pom", ".xml");
-    FileUtils.write(modifiedPom, rewrittenPomContents, StandardCharsets.UTF_8);
+    var finalPomContents =
+        IOUtils.readLines(new FileInputStream(lastPomFile), Charset.defaultCharset());
 
-    /*
-     * We have to calculate the line position to associate with this diff. This is already calculated when the final
-     * report is built later, so we should refactor.
-     *
-     * This is also wasteful because it duplicates reading the both files' contents into memory.
-     */
-    List<String> original = Files.readAllLines(file.toPath());
-    List<String> patched = Files.readAllLines(modifiedPom.toPath());
-    Patch<String> patch = DiffUtils.diff(original, patched);
-    if (patch.getDeltas().isEmpty()) {
-      LOG.warn("For some reason there was no pom delta");
+    if (finalPomContents.equals(originalPomContents)) {
       return null;
     }
 
+    Patch<String> patch = DiffUtils.diff(originalPomContents, finalPomContents);
+
     AbstractDelta<String> delta = patch.getDeltas().get(0);
     int position = 1 + delta.getSource().getPosition();
+
     return ChangedFile.createDefault(
         file.getAbsolutePath(),
-        modifiedPom.getAbsolutePath(),
+        lastPomFile.getAbsolutePath(),
         Weave.from(position, pomInjectionRuleId));
   }
 
diff --git a/src/test/java/io/openpixee/java/protections/DependencyGAVInjectingTest.java b/src/test/java/io/openpixee/java/protections/DependencyGAVInjectingTest.java
diff --git a/src/test/java/io/openpixee/java/protections/GitRepositoryTest.java b/src/test/java/io/openpixee/java/protections/GitRepositoryTest.java
diff --git a/src/test/java/io/openpixee/java/protections/WebGoat822Test.java b/src/test/java/io/openpixee/java/protections/WebGoat822Test.java

Original file line number	Diff line number	Diff line change
`@@ -146,8 +146,11 @@ private List<CodeTFResult> toCodeTFResults(`
`146`	`146`	`weave.changeCode(),`
`147`	`147`	`"fill description for " + weave.changeCode()))`
`148`	`148`	`.collect(Collectors.toList());`
`149`		`- CodeTFResult result = new CodeTFResult(path, diff, changes);`
`150`		`- codetfResults.add(result);`
	`149`	`+`
	`150`	`+ if (StringUtils.isNotBlank(diff)) {`
	`151`	`+ CodeTFResult result = new CodeTFResult(path, diff, changes);`
	`152`	`+ codetfResults.add(result);`
	`153`	`+ }`
`151`	`154`	`}`
`152`	`155`	`return Collections.unmodifiableList(codetfResults);`
`153`	`156`	`}`