XRAY-144809 - Fixed maven to consider plugin deps during jf ca

Author: gauriy-tech

cli/docs/flags.go

@@ -164,6 +164,7 @@ const (
 	IncludeCachedPackages = "include-cached-packages"
 	LegacyPeerDeps        = "legacy-peer-deps"
 	RunNative             = "run-native"
+	MvnIncludePluginDeps  = "mvn-include-plugin-deps"
 
 	// Unique git flags
 	gitPrefix       = "git-"
@@ -227,7 +228,7 @@ var commandFlags = map[string][]string{
 		StaticSca, XrayLibPluginBinaryCustomPath, AnalyzerManagerCustomPath, AddSastRules,
 	},
 	CurationAudit: {
-		CurationOutput, WorkingDirs, Threads, RequirementsFile, InsecureTls, useWrapperAudit, UseIncludedBuilds, SolutionPath, DockerImageName, IncludeCachedPackages, LegacyPeerDeps, RunNative,
+		CurationOutput, WorkingDirs, Threads, RequirementsFile, InsecureTls, useWrapperAudit, UseIncludedBuilds, SolutionPath, DockerImageName, IncludeCachedPackages, MvnIncludePluginDeps, LegacyPeerDeps, RunNative,
 	},
 	GitCountContributors: {
 		InputFile, ScmType, ScmApiUrl, Token, Owner, RepoName, Months, DetailedSummary, InsecureTls, GitThreads, CacheValidity,
@@ -350,6 +351,7 @@ var flagsMap = map[string]components.Flag{
 	CurationOutput:                components.NewStringFlag(OutputFormat, "Defines the output format of the command. Acceptable values are: table, json.", components.WithStrDefaultValue("table")),
 	SolutionPath:                  components.NewStringFlag(SolutionPath, "Path to the .NET solution file (.sln) to use when multiple solution files are present in the directory."),
 	IncludeCachedPackages:         components.NewBoolFlag(IncludeCachedPackages, "When set to true, the system will audit cached packages. This configuration is mandatory for Curation on-demand workflows, which rely on package caching."),
+	MvnIncludePluginDeps:          components.NewBoolFlag(MvnIncludePluginDeps, "[Maven] When set to true, Maven build-plugin transitive dependencies are included in the curation evaluation. Requires two additional Maven invocations (help:effective-pom, dependency:resolve-plugins) which may slow down the scan. By default only project dependencies are scanned."),
 	LegacyPeerDeps:                components.NewBoolFlag(LegacyPeerDeps, "[npm] Pass --legacy-peer-deps to npm install to bypass peer-dependency version conflicts."),
 	RunNative:                     components.NewBoolFlag(RunNative, "[npm] Use the native npm client for dependency resolution. Reads Artifactory URL and repository from the project's .npmrc registry — no 'jf npm-config' required. Respects .npmrc and Volta configuration."),
 	binarySca:                     components.NewBoolFlag(Sca, fmt.Sprintf("Selective scanners mode: Execute SCA (Software Composition Analysis) sub-scan. Use --%s to run both SCA and Contextual Analysis. Use --%s --%s to to run SCA. Can be combined with --%s.", Sca, Sca, WithoutCA, Secrets)),

cli/scancommands.go

@@ -739,6 +739,7 @@ func getCurationCommand(c *components.Context) (*curation.CurationAuditCommand,
 		SetSolutionFilePath(c.GetStringFlagValue(flags.SolutionPath))
 	curationAuditCommand.SetDockerImageName(c.GetStringFlagValue(flags.DockerImageName))
 	curationAuditCommand.SetIncludeCachedPackages(c.GetBoolFlagValue(flags.IncludeCachedPackages))
+	curationAuditCommand.SetMvnIncludePluginDeps(c.GetBoolFlagValue(flags.MvnIncludePluginDeps))
 	curationAuditCommand.SetLegacyPeerDeps(c.GetBoolFlagValue(flags.LegacyPeerDeps))
 	curationAuditCommand.SetRunNative(c.GetBoolFlagValue(flags.RunNative))
 	return curationAuditCommand, nil

commands/curation/curationaudit.go

@@ -233,6 +233,7 @@ type CurationAuditCommand struct {
 	parallelRequests      int
 	dockerImageName       string
 	includeCachedPackages bool
+	mvnIncludePluginDeps  bool
 	audit.AuditParamsInterface
 }
 
@@ -283,6 +284,11 @@ func (ca *CurationAuditCommand) SetIncludeCachedPackages(includeCachedPackages b
 	return ca
 }
 
+func (ca *CurationAuditCommand) SetMvnIncludePluginDeps(mvnIncludePluginDeps bool) *CurationAuditCommand {
+	ca.mvnIncludePluginDeps = mvnIncludePluginDeps
+	return ca
+}
+
 func (ca *CurationAuditCommand) Run() (err error) {
 	rootDir, err := os.Getwd()
 	if err != nil {
@@ -451,7 +457,8 @@ func (ca *CurationAuditCommand) getBuildInfoParamsByTech() (technologies.BuildIn
 		Args:               ca.Args(),
 		InstallCommandArgs: ca.InstallCommandArgs(),
 		// Curation params
-		IsCurationCmd: true,
+		IsCurationCmd:        true,
+		MvnIncludePluginDeps: ca.mvnIncludePluginDeps,
 		// Java params
 		IsMavenDepTreeInstalled: true,
 		UseWrapper:              ca.UseWrapper(),

sca/bom/buildinfo/buildinfobom.go

@@ -263,6 +263,7 @@ func GetTechDependencyTree(params technologies.BuildInfoBomGeneratorParams, arti
 			IsMavenDepTreeInstalled: params.IsMavenDepTreeInstalled,
 			UseWrapper:              params.UseWrapper,
 			IsCurationCmd:           params.IsCurationCmd,
+			MvnIncludePluginDeps:    params.MvnIncludePluginDeps,
 			CurationCacheFolder:     curationCacheFolder,
 			UseIncludedBuilds:       params.UseIncludedBuilds,
 		}, tech)

sca/bom/buildinfo/technologies/common.go

@@ -48,7 +48,8 @@ type BuildInfoBomGeneratorParams struct {
 	Args               []string
 	InstallCommandArgs []string
 	// Curation params
-	IsCurationCmd bool
+	IsCurationCmd        bool
+	MvnIncludePluginDeps bool
 	// Java params
 	IsMavenDepTreeInstalled bool
 	UseWrapper              bool

sca/bom/buildinfo/technologies/java/deptreemanager.go

@@ -30,6 +30,7 @@ type DepTreeParams struct {
 	DepsRepo                string
 	IsMavenDepTreeInstalled bool
 	IsCurationCmd           bool
+	MvnIncludePluginDeps    bool
 	CurationCacheFolder     string
 	UseIncludedBuilds       bool
 }