From 910e6f3212b3d5c9e5ceb90687bc8bfa8b28c04c Mon Sep 17 00:00:00 2001 From: Chris Cochrane <78791827+chriscochrane@users.noreply.github.com> Date: Thu, 24 Apr 2025 10:27:04 +0100 Subject: [PATCH 1/3] ENT-12844 - Build default jars for snyk scans (#7914) * Build default jars for snyk scans * Snyk-scanner JAR for corda capsule * Don't publish snyk-scanner jars * Unwound previous changes * Include more snyk-scanner jars; removed references to Snyk --- build.gradle | 43 ++++++++++++++++++- node/capsule/build.gradle | 5 ++- .../opentelemetry-driver/build.gradle | 2 +- tools/network-builder/build.gradle | 2 +- 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index b4f3e793ab..d5f3b380ac 100644 --- a/build.gradle +++ b/build.gradle @@ -755,12 +755,53 @@ artifactory { defaults { // Root project applies the plugin (for this block) but does not need to be published if (project != rootProject) { - publications(project.extensions.publish.name()) + def pubNames = project.publishing.publications*.name + publications(pubNames.toArray(new String[0])) } } } } +// Publish the default jar for fat-jar sub-modules that do not currently publish their dependencies. +// These are not for external consumption. +// We must generate a jar which has a pom.xml with a full dependency list for vulnerability tools to evaluate. +subprojects { + afterEvaluate { project -> + // map project to actual jar name, since some sub-project jars are not + // published with the same name as their sub-project. + def projectDict = [ + "testing:testserver": "corda-testserver", + "tools:explorer": "corda-tools-explorer", + "opentelemetry:opentelemetry-driver": "corda-opentelemetry-driver", + "tools:network-builder": "corda-tools-network-builder", + "node:capsule": "corda" + ] + def lookupName = "${project.parent.name}:${project.name}".toString() + + if (projectDict.containsKey(lookupName)) { + apply plugin: 'maven-publish' + def jarName = projectDict[lookupName] + publishing { + publications { + "$jarName-jarPublication"(MavenPublication) { + from components.java + artifactId = "$jarName-thin-with-deps" + pom { + name = "$jarName-thin-with-deps" + description = "Corda ${project.name} for vulnerability checking." + } + } + } + } + + jar { + archiveClassifier = 'R3-internal' + } + } + } +} + + tasks.register('generateApi', net.corda.plugins.apiscanner.GenerateApi) { baseName = "api-corda" } diff --git a/node/capsule/build.gradle b/node/capsule/build.gradle index 2eb546be0d..95bc656024 100644 --- a/node/capsule/build.gradle +++ b/node/capsule/build.gradle @@ -20,6 +20,9 @@ dependencies { capsuleRuntime "com.typesafe:config:$typesafe_config_version" compileOnly "com.typesafe:config:$typesafe_config_version" testRuntimeOnly "com.typesafe:config:$typesafe_config_version" + + // 'implementation' for the benefit of the snyk-scanner POM file + implementation "com.typesafe:config:$typesafe_config_version" // Capsule is a library for building independently executable fat JARs. // We only need this dependency to compile our Caplet against. @@ -30,7 +33,7 @@ dependencies { testImplementation "junit:junit:$junit_version" } -jar.enabled = false +jar.enabled = true capsule { version capsule_version diff --git a/opentelemetry/opentelemetry-driver/build.gradle b/opentelemetry/opentelemetry-driver/build.gradle index 1b7e768696..d6cb4ebf0d 100644 --- a/opentelemetry/opentelemetry-driver/build.gradle +++ b/opentelemetry/opentelemetry-driver/build.gradle @@ -30,7 +30,7 @@ artifacts { } jar { - enabled = false + enabled = true } publish { diff --git a/tools/network-builder/build.gradle b/tools/network-builder/build.gradle index 51ec4d6339..72c80ba8ea 100644 --- a/tools/network-builder/build.gradle +++ b/tools/network-builder/build.gradle @@ -88,7 +88,7 @@ artifacts { } jar { - enabled = false + enabled = true } publish { From 7644bcc3f3f0806a5b7d91a618d16229b98eb9de Mon Sep 17 00:00:00 2001 From: chriscochrane Date: Thu, 1 May 2025 17:11:15 +0100 Subject: [PATCH 2/3] Fwd-merged changes from 4.11 --- .../groovy/corda.common-publishing.gradle | 34 +++++++++++++++++++ .../opentelemetry-driver/build.gradle | 1 - 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/buildSrc/src/main/groovy/corda.common-publishing.gradle b/buildSrc/src/main/groovy/corda.common-publishing.gradle index 20b2d4be8d..a7bb600ab7 100644 --- a/buildSrc/src/main/groovy/corda.common-publishing.gradle +++ b/buildSrc/src/main/groovy/corda.common-publishing.gradle @@ -36,6 +36,40 @@ if (System.getenv('CORDA_ARTIFACTORY_USERNAME') != null || project.hasProperty(' } } } + + // Publish the default jar for fat-jar sub-modules that do not currently publish their dependencies. + // These are not for external consumption. + // We must generate a jar which has a pom.xml with a full dependency list for vulnerability tools to evaluate. + // Only do this for builds done within R3. + def projectDict = [ + "testing:testserver": "corda-testserver", + "tools:explorer": "corda-tools-explorer", + "opentelemetry:opentelemetry-driver": "corda-opentelemetry-driver", + "tools:network-builder": "corda-tools-network-builder", + "node:capsule": "corda" + ] + def lookupName = "${project.parent.name}:${project.name}".toString() + + if (projectDict.containsKey(lookupName)) { + pluginManager.apply('maven-publish') + def jarName = projectDict[lookupName] + publishing { + publications { + "$jarName-jarPublication"(MavenPublication) { + from components.java + artifactId = "$jarName-thin-with-deps" + pom { + name = "$jarName-thin-with-deps" + description = "Corda ${project.name} for vulnerability checking." + } + } + } + } + + jar { + archiveClassifier = 'R3-internal' + } + } } } else { logger.info("External user - using standard maven publishing") diff --git a/opentelemetry/opentelemetry-driver/build.gradle b/opentelemetry/opentelemetry-driver/build.gradle index 74496d7955..9911f8a5c7 100644 --- a/opentelemetry/opentelemetry-driver/build.gradle +++ b/opentelemetry/opentelemetry-driver/build.gradle @@ -26,7 +26,6 @@ publishing { shadow(MavenPublication) { publication -> artifactId 'corda-opentelemetry-driver' artifact shadowJar - from components.java } } } From 92326343f0ab4c2055d53d43e7461240be4cacaf Mon Sep 17 00:00:00 2001 From: chriscochrane Date: Fri, 2 May 2025 10:31:28 +0100 Subject: [PATCH 3/3] Updated comment --- node/capsule/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node/capsule/build.gradle b/node/capsule/build.gradle index ed503f0395..daeabb9ef3 100644 --- a/node/capsule/build.gradle +++ b/node/capsule/build.gradle @@ -22,7 +22,7 @@ dependencies { compileOnly "com.typesafe:config:$typesafe_config_version" testRuntimeOnly "com.typesafe:config:$typesafe_config_version" - // 'implementation' for the benefit of the snyk-scanner POM file + // 'implementation' for the benefit of the security-scannable POM file implementation "com.typesafe:config:$typesafe_config_version" // Capsule is a library for building independently executable fat JARs.