ENT-12844 - Build default jars for snyk scans (#7914)

* Build default jars for snyk scans * Snyk-scanner JAR for corda capsule * Don't publish snyk-scanner jars * Unwound previous changes * Include more snyk-scanner jars; removed references to Snyk
2025-05-30 22:24:22 +00:00 · 2025-04-24 10:27:04 +01:00 · 2025-04-24 10:27:04 +01:00 · 910e6f3212
commit 910e6f3212
parent 66c44adc16
4 changed files with 48 additions and 4 deletions
--- a/build.gradle
+++ b/build.gradle
@ -755,12 +755,53 @@ artifactory {
        defaults {
            // Root project applies the plugin (for this block) but does not need to be published
            if (project != rootProject) {
-                publications(project.extensions.publish.name())
+                def pubNames = project.publishing.publications*.name
+                publications(pubNames.toArray(new String[0]))
            }
        }
    }
 }

+// Publish the default jar for fat-jar sub-modules that do not currently publish their dependencies.
+// These are not for external consumption.
+// We must generate a jar which has a pom.xml with a full dependency list for vulnerability tools to evaluate.
+subprojects {
+    afterEvaluate { project ->
+        // map project to actual jar name, since some sub-project jars are not
+        // published with the same name as their sub-project.
+        def projectDict = [
+                "testing:testserver": "corda-testserver",
+                "tools:explorer": "corda-tools-explorer",
+                "opentelemetry:opentelemetry-driver": "corda-opentelemetry-driver",
+                "tools:network-builder": "corda-tools-network-builder",
+                "node:capsule": "corda"
+        ]
+        def lookupName = "${project.parent.name}:${project.name}".toString()
+
+        if (projectDict.containsKey(lookupName)) {
+            apply plugin: 'maven-publish'
+            def jarName = projectDict[lookupName]
+            publishing {
+                publications {
+                    "$jarName-jarPublication"(MavenPublication) {
+                        from components.java
+                        artifactId = "$jarName-thin-with-deps"
+                        pom {
+                            name = "$jarName-thin-with-deps"
+                            description = "Corda ${project.name} for vulnerability checking."
+                        }
+                    }
+                }
+            }
+
+            jar {
+                archiveClassifier = 'R3-internal'
+            }
+        }
+    }
+}
+
+
 tasks.register('generateApi', net.corda.plugins.apiscanner.GenerateApi) {
    baseName = "api-corda"
 }
--- a/node/capsule/build.gradle
+++ b/node/capsule/build.gradle
@ -20,6 +20,9 @@ dependencies {
    capsuleRuntime "com.typesafe:config:$typesafe_config_version"
    compileOnly "com.typesafe:config:$typesafe_config_version"
    testRuntimeOnly "com.typesafe:config:$typesafe_config_version"
+    
+    // 'implementation' for the benefit of the snyk-scanner POM file
+    implementation "com.typesafe:config:$typesafe_config_version"

    // Capsule is a library for building independently executable fat JARs.
    // We only need this dependency to compile our Caplet against.
@ -30,7 +33,7 @@ dependencies {
    testImplementation "junit:junit:$junit_version"
 }

-jar.enabled = false
+jar.enabled = true

 capsule {
    version capsule_version
--- a/opentelemetry/opentelemetry-driver/build.gradle
+++ b/opentelemetry/opentelemetry-driver/build.gradle
@ -30,7 +30,7 @@ artifacts {
 }

 jar {
-    enabled = false
+    enabled = true
 }

 publish {
--- a/tools/network-builder/build.gradle
+++ b/tools/network-builder/build.gradle
@ -88,7 +88,7 @@ artifacts {
 }

 jar {
-    enabled = false
+    enabled = true
 }

 publish {