stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
d233fa3529150d073cb25963b12412494f1cbf88
git.stella-ops.org/ops/devops/scanner-java/package-analyzer.sh
StellaOps Bot e2e404e705
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
console-runner-image / build-runner-image (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
up
2025-12-14 16:24:16 +02:00

90 lines
3.0 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Package Java analyzer plugin for release/offline distribution
# Usage: ./package-analyzer.sh [version] [output-dir]
# Example: ./package-analyzer.sh 2025.10.0 ./dist
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
VERSION="${1:-$(date +%Y.%m.%d)}"
OUTPUT_DIR="${2:-${SCRIPT_DIR}/../artifacts/scanner-java}"
PROJECT_PATH="src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj"
# Freeze timestamps for reproducibility
export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-1704067200}
echo "==> Packaging Java analyzer v${VERSION}"
mkdir -p "${OUTPUT_DIR}"
# Build for all target RIDs
RIDS=("linux-x64" "linux-arm64" "osx-x64" "osx-arm64" "win-x64")
for RID in "${RIDS[@]}"; do
echo "==> Building for ${RID}..."
dotnet publish "${REPO_ROOT}/${PROJECT_PATH}" \
--configuration Release \
--runtime "${RID}" \
--self-contained false \
--output "${OUTPUT_DIR}/java-analyzer-${VERSION}-${RID}" \
/p:Version="${VERSION}" \
/p:PublishTrimmed=false \
/p:DebugType=None
done
# Create combined archive
ARCHIVE_NAME="scanner-java-analyzer-${VERSION}"
echo "==> Creating archive ${ARCHIVE_NAME}.tar.gz..."
cd "${OUTPUT_DIR}"
tar -czf "${ARCHIVE_NAME}.tar.gz" java-analyzer-${VERSION}-*/
# Generate checksums
echo "==> Generating checksums..."
sha256sum "${ARCHIVE_NAME}.tar.gz" > "${ARCHIVE_NAME}.tar.gz.sha256"
for RID in "${RIDS[@]}"; do
(cd "java-analyzer-${VERSION}-${RID}" && sha256sum *.dll *.json 2>/dev/null > ../java-analyzer-${VERSION}-${RID}.sha256 || true)
done
# Generate SBOM if syft available
if command -v syft &>/dev/null; then
echo "==> Generating SBOM..."
syft dir:"${OUTPUT_DIR}/java-analyzer-${VERSION}-linux-x64" -o spdx-json > "${OUTPUT_DIR}/${ARCHIVE_NAME}.spdx.json"
syft dir:"${OUTPUT_DIR}/java-analyzer-${VERSION}-linux-x64" -o cyclonedx-json > "${OUTPUT_DIR}/${ARCHIVE_NAME}.cdx.json"
fi
# Sign if cosign available
if command -v cosign &>/dev/null && [[ -n "${COSIGN_KEY:-}" ]]; then
echo "==> Signing archive..."
cosign sign-blob --key "${COSIGN_KEY}" "${ARCHIVE_NAME}.tar.gz" > "${ARCHIVE_NAME}.tar.gz.sig"
fi
# Create manifest
cat > "${OUTPUT_DIR}/manifest.json" <<EOF
{
"analyzer": "scanner-java",
"version": "${VERSION}",
"archive": "${ARCHIVE_NAME}.tar.gz",
"checksumFile": "${ARCHIVE_NAME}.tar.gz.sha256",
"rids": $(printf '%s\n' "${RIDS[@]}" | jq -R . | jq -s .),
"sbom": {
"spdx": "${ARCHIVE_NAME}.spdx.json",
"cyclonedx": "${ARCHIVE_NAME}.cdx.json"
},
"createdAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"sourceDateEpoch": "${SOURCE_DATE_EPOCH}",
"components": [
"Maven/Gradle parsing",
"JAR/WAR/EAR analysis",
"Java callgraph builder",
"JNI native bridge detection",
"Service provider scanning",
"Shaded JAR detection"
]
}
EOF
echo "==> Java analyzer packaged to ${OUTPUT_DIR}"
echo " Archive: ${ARCHIVE_NAME}.tar.gz"
echo " RIDs: ${RIDS[*]}"
Reference in New Issue View Git Blame Copy Permalink