up

ops/devops/scanner-java/package-analyzer.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+# Package Java analyzer plugin for release/offline distribution
+# Usage: ./package-analyzer.sh [version] [output-dir]
+# Example: ./package-analyzer.sh 2025.10.0 ./dist
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+
+VERSION="${1:-$(date +%Y.%m.%d)}"
+OUTPUT_DIR="${2:-${SCRIPT_DIR}/../artifacts/scanner-java}"
+PROJECT_PATH="src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj"
+
+# Freeze timestamps for reproducibility
+export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-1704067200}
+
+echo "==> Packaging Java analyzer v${VERSION}"
+mkdir -p "${OUTPUT_DIR}"
+
+# Build for all target RIDs
+RIDS=("linux-x64" "linux-arm64" "osx-x64" "osx-arm64" "win-x64")
+
+for RID in "${RIDS[@]}"; do
+  echo "==> Building for ${RID}..."
+  dotnet publish "${REPO_ROOT}/${PROJECT_PATH}" \
+    --configuration Release \
+    --runtime "${RID}" \
+    --self-contained false \
+    --output "${OUTPUT_DIR}/java-analyzer-${VERSION}-${RID}" \
+    /p:Version="${VERSION}" \
+    /p:PublishTrimmed=false \
+    /p:DebugType=None
+done
+
+# Create combined archive
+ARCHIVE_NAME="scanner-java-analyzer-${VERSION}"
+echo "==> Creating archive ${ARCHIVE_NAME}.tar.gz..."
+cd "${OUTPUT_DIR}"
+tar -czf "${ARCHIVE_NAME}.tar.gz" java-analyzer-${VERSION}-*/
+
+# Generate checksums
+echo "==> Generating checksums..."
+sha256sum "${ARCHIVE_NAME}.tar.gz" > "${ARCHIVE_NAME}.tar.gz.sha256"
+for RID in "${RIDS[@]}"; do
+  (cd "java-analyzer-${VERSION}-${RID}" && sha256sum *.dll *.json 2>/dev/null > ../java-analyzer-${VERSION}-${RID}.sha256 || true)
+done
+
+# Generate SBOM if syft available
+if command -v syft &>/dev/null; then
+  echo "==> Generating SBOM..."
+  syft dir:"${OUTPUT_DIR}/java-analyzer-${VERSION}-linux-x64" -o spdx-json > "${OUTPUT_DIR}/${ARCHIVE_NAME}.spdx.json"
+  syft dir:"${OUTPUT_DIR}/java-analyzer-${VERSION}-linux-x64" -o cyclonedx-json > "${OUTPUT_DIR}/${ARCHIVE_NAME}.cdx.json"
+fi
+
+# Sign if cosign available
+if command -v cosign &>/dev/null && [[ -n "${COSIGN_KEY:-}" ]]; then
+  echo "==> Signing archive..."
+  cosign sign-blob --key "${COSIGN_KEY}" "${ARCHIVE_NAME}.tar.gz" > "${ARCHIVE_NAME}.tar.gz.sig"
+fi
+
+# Create manifest
+cat > "${OUTPUT_DIR}/manifest.json" <<EOF
+{
+  "analyzer": "scanner-java",
+  "version": "${VERSION}",
+  "archive": "${ARCHIVE_NAME}.tar.gz",
+  "checksumFile": "${ARCHIVE_NAME}.tar.gz.sha256",
+  "rids": $(printf '%s\n' "${RIDS[@]}" | jq -R . | jq -s .),
+  "sbom": {
+    "spdx": "${ARCHIVE_NAME}.spdx.json",
+    "cyclonedx": "${ARCHIVE_NAME}.cdx.json"
+  },
+  "createdAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+  "sourceDateEpoch": "${SOURCE_DATE_EPOCH}",
+  "components": [
+    "Maven/Gradle parsing",
+    "JAR/WAR/EAR analysis",
+    "Java callgraph builder",
+    "JNI native bridge detection",
+    "Service provider scanning",
+    "Shaded JAR detection"
+  ]
+}
+EOF
+
+echo "==> Java analyzer packaged to ${OUTPUT_DIR}"
+echo "    Archive: ${ARCHIVE_NAME}.tar.gz"
+echo "    RIDs: ${RIDS[*]}"