Merge pull request #72 from SoftwareDesignLab/dev

Add new features and bug fixes for v3.2.0

README.md

@@ -1,16 +1,15 @@
 # PlugFest Tooling
 > A collection of tools to compare the usage and quality of different SBOM generators
 >
-> ## v3.1.0 -- 5/2/23
+> ## v3.2.0 -- 5/9/23
 > ### API
-> - Fixed bug that prevented non-ASCII characters from being processed
+> - Fixed another bug preventing non-ASCII characters from being processed
 > ### Comparison
-> - Fix bug that showed duplicate UIDs in the comparison report
+> - Allow marking of components as appearing in target SBOM
 > ### Metrics
-> - Added support for non-ASCII characters when pulling from package manager databases
-> - Remove all empty tests to prevent duplicated component lists
+> - Fix bug causing formatting issues with the data verification test
 > ### GUI
-> - Display which SBOM an identifier or quality came from
+> - Added individual loading spinners for each uploaded SBOM
 
 ## Differ
 - Compares two SBOMs supporting CycloneDX XML and SPDX Tag-Value
@@ -24,36 +23,56 @@
   - SWIDs
 - Summarizes the report in a Unix-diff-like print
 
-## Metrics
-- Appropriate Amount Test
-  - Checks to ensure that each attribute within an SBOM does not exceed the maximum line length in Java
+## Comparison
+- Generate detailed DiffReports from a target SBOM and a list of SBOMs. 
+
+## Quality Attributes
+- Actionable Test
+  - Tests fields to ensure data contained is usable.
 - Completeness Test
   - Checks to make sure components have a name, publisher, version
   - Checks if attributes are formatted correctly and checks CPE and PURL formatting 
-- Timeliness Test
+- Data Verification Test
   - Uses PURLs to search for information about the package using package manager APIs
   - Confirms that name and publisher match resource
   - Also checks to see if the assigned version number exists in resource
-
+
+## Translator
+- Parse SBOMS from files and deserialize from formats:
+  - CycloneDX
+    > .xml and .json
+  - SPDX
+    > .spdx
 ## System Requirements
 - Java 17
   > Check: `java -version`
 
 ## Quick Start
-1. `./gradlew jar`
-2. `java -jar app.jar [OPTIONS]`
+### Backend
+1. `./gradlew bootJar`
+2. `java -jar .\api\build\libs\api-3.1.0.jar`
+### Frontend
+1. `cd gui`
+2. `npm install`
+3. `npm start`
 
 ## Contributors
-- [Derek Garcia](mailto:dlg1206@rit.edu)
-- [Matt London](mailto:mrl2534@rit.edu)
+**Principal Investigator:** [Mehdi Mirakhorli](mailto:mxmvse@rit.edu)
+
+**Senior Project Manager:** [Chris Enoch](mailto:ctevse@rit.edu)
+
+**Senior Developer Team Lead:** [Derek Garcia](mailto:dlg1206@rit.edu)
+
+**Developer Team Leads**
 - [Tina DiLorenzo](mailto:tnd3015@rit.edu)
+- [Matt London](mailto:mrl2534@rit.edu)
+- [Dylan Mulligan](mailto:dtm5568@rit.edu)
+
+**Developer Team**
 - [Tyler Drake](mailto:txd3634@rit.edu)
+- [Ian Dunn](mailto:itd3516@rit.edu)
 - [Asa Horn](mailto:aoh9470@rit.edu)
 - [Justin Jantzi](mailto:jwj7297@rit.edu)
+- [Henry Orsagh](mailto:hco4630@rit.edu)
 - [Juan Francisco Patino](mailto:jfp6815@rit.edu)
 - [Max Stein](mailto:mhs8558@rit.edu)
-- [Ian Dunn](mailto:itd3516@rit.edu)
-- [Henry Keena](mailto:htk4363@rit.edu)
-- [Henry Lu](mailto:hyl2415@rit.edu)
-- [Chris Enoch](mailto:cte6149@rit.edu)
-- [Ping Liu](mailto:htk4363@rit.edu)

api/build.gradle

@@ -5,7 +5,7 @@ plugins {
 }
 
 group = 'org.nvip.plugfest'
-version = '1.0'
+version = '3.1.0'
 
 application {
     mainClassName = 'org.nvip.plugfest.tooling.APIApplication'

api/src/main/java/org/nvip/plugfest/tooling/APIApplication.java

@@ -3,9 +3,13 @@
 import org.springframework.boot.WebApplicationType;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
+import org.springframework.boot.web.server.WebServerFactoryCustomizer;
+import org.springframework.context.annotation.Bean;
 
 /**
  * This class contains the main function which runs the API as a spring boot application
+ * @author Justin Jantzi
  */
 @SpringBootApplication
 public class APIApplication {
@@ -14,4 +18,16 @@ public static void main(String[] args) {
                 .web(WebApplicationType.SERVLET) //This is required to prevent "No valid webserver" error.
                 .run(args);
     }
-}
+
+    /***
+     * Overwrites the default max post size default of 2MB
+     */
+    @Bean
+    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer() {
+        return (factory) -> {
+            factory.addConnectorCustomizers((connector) -> {
+                connector.setMaxPostSize(Integer.MAX_VALUE); //About 2GB
+            });
+        };
+    }
+}

api/src/main/java/org/nvip/plugfest/tooling/APIController.java

@@ -2,6 +2,7 @@
 
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.HttpServletRequest;
 import org.nvip.plugfest.tooling.differ.Comparison;
 import org.nvip.plugfest.tooling.qa.QAPipeline;
 import org.nvip.plugfest.tooling.qa.QualityReport;
@@ -86,7 +87,14 @@ public ResponseEntity<Comparison> compare(@RequestParam("contents") String conte
      * @return - wrapped QualityReport object, null if failed
      */
     @PostMapping("qa")
-    public ResponseEntity<QualityReport> qa(@RequestParam("contents") String contents, @RequestParam("fileName") String fileName) {
+    public ResponseEntity<QualityReport> qa(@RequestParam("contents") String contents, @RequestParam("fileName") String fileName, HttpServletRequest servletRequest) {
+        try {
+            servletRequest.setCharacterEncoding("UTF-8");
+        }
+        catch (Exception e) {
+            // This will not happen as we are hardcoding UTF-8
+            System.out.println("Failed to set encoding");
+        }
 
         SBOM sbom = TranslatorPlugFest.translateContents(contents, fileName);
 

changelog.md

@@ -1,5 +1,15 @@
 # Plugfest Changelog
 
+## v3.2.0 -- 5/9/23
+### API
+- Fixed another bug preventing non-ASCII characters from being processed
+### Comparison
+- Allow marking of components as appearing in target SBOM
+### Metrics
+- Fix bug causing formatting issues with the data verification test
+### GUI
+- Added individual loading spinners for each uploaded SBOM
+
 ## v3.1.0 -- 5/2/23
 ### API
 - Fixed bug that prevented non-ASCII characters from being processed

core/src/main/java/org/nvip/plugfest/tooling/differ/Comparison.java

@@ -96,7 +96,17 @@ public void assignComponents(SBOM current_sbom, int SBOM_index) {
                 // Get all ComponentVersions that match the temporary ComponentVersion's version
                 List<ComponentVersion> matching_cv_list = current_cv_list
                         .stream()
-                        .filter(x -> (Objects.equals(x.getComponentVersion(), current_component.getVersion()) || x.getComponentVersion().contains(current_component.getVersion())))
+                        .filter(x -> {
+                            boolean objEqual = Objects.equals(x.getComponentVersion(), current_component.getVersion());
+                            boolean someNull = x.getComponentVersion() == null || current_component.getVersion() == null;
+                            // This means one of the versions is null and the other is not
+                            if (someNull && !objEqual) {
+                                return false;
+                            }
+                            boolean containsCurrent = x.getComponentVersion() != null && x.getComponentVersion().contains(current_component.getVersion());
+                            boolean containsX = current_component.getVersion() != null && current_component.getVersion().contains(x.getComponentVersion());
+                            return objEqual || containsCurrent || containsX;
+                        })
                         .toList();
 
                 // If there are no matching ComponentVersion objects in the Set for that package name

core/src/main/java/org/nvip/plugfest/tooling/qa/processors/CompletenessTest.java

@@ -51,10 +51,11 @@ protected CompletenessTest() {
         this.publisherEmailRegex = Pattern.compile("(?:(Person|Organization)?: (.*?))? ?<?(\\S+@\\S+\\.[^\\s>]+)>?", Pattern.MULTILINE);
 
         /*
-            Regex101: https://regex101.com/r/wzJeIq/4
+            Regex101: https://regex101.com/r/BjMJCP/1
             Checks if version is in form: "12.*" | "4:*", version format varies a lot
+            Also supports git commit hashes (for example docker compose uses this)
          */
-        this.componentVersionRegex = Pattern.compile("^([0-9]+[\\.:\\-].*)", Pattern.MULTILINE);
+        this.componentVersionRegex = Pattern.compile("^(v?[0-9]+[\\.:\\-].*|[0-9a-fA-F]{7,40})$", Pattern.MULTILINE);
 
         // TODO for these patterns: check if name, version, etc matches component name, version, etc. Make classes?
 

core/src/main/java/org/nvip/plugfest/tooling/qa/processors/DataVerificationTest.java

@@ -73,16 +73,16 @@ public TestResults test(Component c) {
 
                 // check whatever is online at least contains this component, or vice versa
                 if(name == null || !((name.contains(nameFoundOnline)|| nameFoundOnline.contains(name))))
-                    testResults.addTest(new Test(false, "Name ", name, "does not match ",
-                            nameFoundOnline, " in ", packageManagerName));
+                    testResults.addTest(new Test(false, "Name '", name, "' does not match '",
+                            nameFoundOnline, "' in ", packageManagerName));
 
                 if(version == null || !versionFoundOnline.contains(version))
-                    testResults.addTest(new Test(false,"Version ",version," not found in ",
+                    testResults.addTest(new Test(false,"Version '",version,"' not found in ",
                             packageManagerName, " database"));
 
                 if(!((publisher.contains(publisherFoundOnline)|| publisherFoundOnline.contains(publisher))))
-                    testResults.addTest(new Test(false,"Publisher Name ", publisher,
-                            " does not match ", publisherFoundOnline," in ", packageManagerName, " database"));
+                    testResults.addTest(new Test(false,"Publisher Name '", publisher,
+                            "' does not match '", publisherFoundOnline,"' in ", packageManagerName, " database"));
             }
             catch(IOException e){
                 testResults.addTest(new Test(true,"Error accessing ",