io.github.chains_project.maven_lockfile.AbstractLockfileMojo Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of maven-lockfile Show documentation

This plugin is a state-of-the-art solution that can be used to validate the integrity of a maven repository. It does this by generating a lock file that contains the checksums of all the artifacts in the repository. The lock file can then be used to validate the integrity of the repository. This guards the supply chain against malicious actors that might tamper with the artifacts in the repository.

The newest version!

package io.github.chains_project.maven_lockfile;

import com.google.common.base.Strings;
import io.github.chains_project.maven_lockfile.checksum.AbstractChecksumCalculator;
import io.github.chains_project.maven_lockfile.checksum.FileSystemChecksumCalculator;
import io.github.chains_project.maven_lockfile.checksum.RemoteChecksumCalculator;
import io.github.chains_project.maven_lockfile.data.Config;
import io.github.chains_project.maven_lockfile.data.Environment;
import org.apache.maven.execution.MavenSession;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecution;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.DefaultProjectBuildingRequest;
import org.apache.maven.project.MavenProject;
import org.apache.maven.project.ProjectBuildingRequest;
import org.apache.maven.shared.dependency.graph.DependencyCollectorBuilder;
import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolver;

public abstract class AbstractLockfileMojo extends AbstractMojo {

    /**
     * The Maven project for which we are generating a lock file.
     */
    @Parameter(defaultValue = "${project}", readonly = true, required = true)
    protected MavenProject project;

    @Parameter(defaultValue = "${session}", readonly = true, required = true)
    protected MavenSession session;

    /**
     * The dependency collector builder to use.
     */
    @Component(hint = "default")
    protected DependencyCollectorBuilder dependencyCollectorBuilder;

    @Component
    protected DependencyResolver dependencyResolver;

    @Parameter(property = "includeMavenPlugins", defaultValue = "false")
    protected String includeMavenPlugins;

    @Parameter(property = "allowValidationFailure", defaultValue = "false")
    protected String allowValidationFailure;

    @Parameter(property = "includeEnvironment", defaultValue = "true")
    protected String includeEnvironment;

    @Parameter(defaultValue = "${maven.version}")
    protected String mavenVersion;

    @Parameter(defaultValue = "${java.version}")
    protected String javaVersion;

    @Parameter(property = "checksumAlgorithm")
    protected String checksumAlgorithm;

    @Parameter(defaultValue = "maven_local", property = "checksumMode")
    protected String checksumMode;

    @Parameter(property = "reduced")
    protected String reduced;

    @Parameter(defaultValue = "false", property = "skip")
    protected String skip;

    @Parameter(defaultValue = "${mojoExecution}", readonly = true)
    protected MojoExecution mojo;

    protected Environment generateMetaInformation() {
        String osName = System.getProperty("os.name");
        return new Environment(osName, mavenVersion, javaVersion);
    }

    protected AbstractChecksumCalculator getChecksumCalculator() throws MojoExecutionException {
        ProjectBuildingRequest buildingRequest = new DefaultProjectBuildingRequest(session.getProjectBuildingRequest());
        if (checksumMode.equals("maven_local")) {
            return new FileSystemChecksumCalculator(dependencyResolver, buildingRequest, checksumAlgorithm);
        } else if (checksumMode.equals("maven_central")) {
            return new RemoteChecksumCalculator(checksumAlgorithm);
        } else {
            throw new MojoExecutionException("Invalid checksum mode: " + checksumMode);
        }
    }

    protected AbstractChecksumCalculator getChecksumCalculator(Config config) throws MojoExecutionException {
        ProjectBuildingRequest buildingRequest = new DefaultProjectBuildingRequest(session.getProjectBuildingRequest());
        switch (config.getChecksumMode()) {
            case "maven_local":
                return new FileSystemChecksumCalculator(
                        dependencyResolver, buildingRequest, config.getChecksumAlgorithm());
            case "maven_central":
                return new RemoteChecksumCalculator(config.getChecksumAlgorithm());
            default:
                throw new MojoExecutionException("Invalid checksum mode: " + config.getChecksumMode());
        }
    }

    protected Config getConfig() {
        String chosenAlgo = Strings.isNullOrEmpty(checksumAlgorithm) ? "SHA-256" : checksumAlgorithm;
        String chosenMode = Strings.isNullOrEmpty(checksumMode) ? "maven_local" : checksumMode;
        return new Config(
                Boolean.parseBoolean(includeMavenPlugins),
                Boolean.parseBoolean(allowValidationFailure),
                Boolean.parseBoolean(includeEnvironment),
                Boolean.parseBoolean(reduced),
                mojo.getPlugin().getVersion(),
                chosenMode,
                chosenAlgo);
    }
}