cleanup

.github/workflows/test.yml

@@ -164,6 +164,7 @@ jobs:
   test-ee:
     needs: test
     name: EE ${{ matrix.version }} + JDK${{ matrix.java-version }} on ${{ matrix.os }}
+    if: github.event_name != 'pull_request'
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:

__tests__/sbom.test.ts

@@ -1,9 +1,9 @@
+import * as c from '../src/constants'
 import {
   setUpSBOMSupport,
   processSBOM,
   mapToComponentsWithDependencies,
-  INPUT_NI_SBOM,
-  NATIVE_IMAGE_OPTIONS_ENV
+  INPUT_NI_SBOM
 } from '../src/features/sbom'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
@@ -50,10 +50,8 @@ describe('sbom feature', () => {
   let originalEnv: NodeJS.ProcessEnv
 
   beforeEach(() => {
-    // Save original env
     originalEnv = process.env
 
-    // Set up test environment
     process.env = {
       ...process.env,
       GITHUB_REPOSITORY: 'test-owner/test-repo',
@@ -93,7 +91,7 @@ describe('sbom feature', () => {
     it('should set the SBOM option flag when activated', () => {
       setUpSBOMSupport()
       expect(spyExportVariable).toHaveBeenCalledWith(
-        NATIVE_IMAGE_OPTIONS_ENV,
+        c.NATIVE_IMAGE_OPTIONS_ENV,
         expect.stringContaining('--enable-sbom=export')
       )
       expect(spyInfo).toHaveBeenCalledWith(
@@ -169,6 +167,9 @@ describe('sbom feature', () => {
       expect(spyInfo).toHaveBeenCalledWith(
         '- pkg:maven/com.oracle/[email protected]'
       )
+      expect(spyInfo).toHaveBeenCalledWith(
+        '   depends on: pkg:maven/org.json/json@20211205'
+      )
       expect(spyWarning).not.toHaveBeenCalled()
     })
 
@@ -196,9 +197,8 @@ describe('sbom feature', () => {
       await processSBOM()
 
       expect(spyInfo).toHaveBeenCalledWith('=== SBOM Content ===')
-      expect(spyInfo).toHaveBeenCalledWith(
-        '- [email protected] (purl not specified, component will not be submitted to GitHub dependency API)'
-      )
+      expect(spyInfo).toHaveBeenCalledWith('- [email protected]')
+      expect(spyWarning).not.toHaveBeenCalled()
     })
 
     it('should handle missing SBOM file', async () => {
@@ -209,7 +209,7 @@ describe('sbom feature', () => {
 
       await processSBOM()
       expect(spyWarning).toHaveBeenCalledWith(
-        'No SBOM file found. Make sure native-image build completed successfully.'
+        'No SBOM file found. Make sure native-image build completed successfully. Skipping submission to GitHub Dependency API.'
       )
     })
 
@@ -241,7 +241,22 @@ describe('sbom feature', () => {
             correlator: 'test-workflow_test-job',
             id: '12345'
           }),
-          manifests: expect.any(Object)
+          manifests: expect.objectContaining({
+            'test.sbom.json': expect.objectContaining({
+              name: 'test.sbom.json',
+              resolved: expect.objectContaining({
+                json: expect.objectContaining({
+                  package_url: 'pkg:maven/org.json/json@20211205',
+                  dependencies: []
+                }),
+                'main-test-app': expect.objectContaining({
+                  package_url:
+                    'pkg:maven/com.oracle/[email protected]',
+                  dependencies: ['pkg:maven/org.json/json@20211205']
+                })
+              })
+            })
+          })
         })
       )
     })
@@ -267,94 +282,4 @@ describe('sbom feature', () => {
       )
     })
   })
-
-  describe('mapToComponents', () => {
-    it('should map valid SBOM data to components', () => {
-      const sbomData = {
-        components: [
-          {
-            name: 'json',
-            version: '20211205',
-            purl: 'pkg:maven/org.json/json@20211205',
-            'bom-ref': 'pkg:maven/org.json/json@20211205'
-          },
-          {
-            name: 'main-test-app',
-            version: '1.0-SNAPSHOT',
-            purl: 'pkg:maven/com.oracle/[email protected]',
-            'bom-ref': 'pkg:maven/com.oracle/[email protected]'
-          }
-        ],
-        dependencies: [
-          {
-            ref: 'pkg:maven/com.oracle/[email protected]',
-            dependsOn: ['pkg:maven/org.json/json@20211205']
-          },
-          {
-            ref: 'pkg:maven/org.json/json@20211205',
-            dependsOn: []
-          }
-        ]
-      }
-
-      const result = mapToComponentsWithDependencies(sbomData)
-
-      expect(result).toEqual([
-        {
-          name: 'json',
-          version: '20211205',
-          purl: 'pkg:maven/org.json/json@20211205',
-          dependencies: [],
-          'bom-ref': 'pkg:maven/org.json/json@20211205'
-        },
-        {
-          name: 'main-test-app',
-          version: '1.0-SNAPSHOT',
-          purl: 'pkg:maven/com.oracle/[email protected]',
-          dependencies: ['pkg:maven/org.json/json@20211205'],
-          'bom-ref': 'pkg:maven/com.oracle/[email protected]'
-        }
-      ])
-    })
-
-    it('should handle components without dependencies', () => {
-      const sbomData = {
-        components: [
-          {
-            name: 'json',
-            version: '20211205',
-            purl: 'pkg:maven/org.json/json@20211205',
-            'bom-ref': 'pkg:maven/org.json/json@20211205'
-          }
-        ],
-        dependencies: []
-      }
-
-      const result = mapToComponentsWithDependencies(sbomData)
-
-      expect(result).toEqual([
-        {
-          name: 'json',
-          version: '20211205',
-          purl: 'pkg:maven/org.json/json@20211205',
-          dependencies: [],
-          'bom-ref': 'pkg:maven/org.json/json@20211205'
-        }
-      ])
-    })
-
-    it('should handle missing components', () => {
-      const sbomData = {
-        components: [],
-        dependencies: []
-      }
-
-      const result = mapToComponentsWithDependencies(sbomData)
-
-      expect(result).toEqual([])
-      expect(spyWarning).toHaveBeenCalledWith(
-        'Invalid SBOM data or no components found.'
-      )
-    })
-  })
 })

action.yml

@@ -53,7 +53,7 @@ inputs:
     default: 'false'
   native-image-enable-sbom:
     required: false
-    description: 'Enable SBOM generation for Native Image builds. The SBOM dependencies are shown in the dependency view in Github.'
+    description: 'Enable SBOM (Software Bill of Materials) generation for Native Image builds. SBOM dependencies are shown in the "Dependency graph" under "Insights" and vulnerability alerts under "Security". This requires the 'Dependency graph' feature to be actived.
     default: 'false'
   version:
     required: false

src/constants.ts

@@ -14,6 +14,8 @@ export const INPUT_CACHE = 'cache'
 export const INPUT_CHECK_FOR_UPDATES = 'check-for-updates'
 export const INPUT_NI_MUSL = 'native-image-musl'
 
+export const NATIVE_IMAGE_OPTIONS_ENV = 'NATIVE_IMAGE_OPTIONS'
+
 export const IS_LINUX = process.platform === 'linux'
 export const IS_MACOS = process.platform === 'darwin'
 export const IS_WINDOWS = process.platform === 'win32'

src/features/reports.ts

@@ -26,7 +26,6 @@ const NATIVE_IMAGE_CONFIG_FILE = join(
   tmpdir(),
   'native-image-options.properties'
 )
-const NATIVE_IMAGE_OPTIONS_ENV = 'NATIVE_IMAGE_OPTIONS'
 const NATIVE_IMAGE_CONFIG_FILE_ENV = 'NATIVE_IMAGE_CONFIG_FILE'
 const PR_COMMENT_TITLE = '## GraalVM Native Image Build Report'
 
@@ -182,11 +181,11 @@ function setNativeImageOption(
   ) {
     /* NATIVE_IMAGE_OPTIONS was introduced in GraalVM for JDK 22 (so were EA builds). */
     let newOptionValue = optionValue
-    const existingOptions = process.env[NATIVE_IMAGE_OPTIONS_ENV]
+    const existingOptions = process.env[c.NATIVE_IMAGE_OPTIONS_ENV]
     if (existingOptions) {
       newOptionValue = `${existingOptions} ${newOptionValue}`
     }
-    core.exportVariable(NATIVE_IMAGE_OPTIONS_ENV, newOptionValue)
+    core.exportVariable(c.NATIVE_IMAGE_OPTIONS_ENV, newOptionValue)
   } else {
     const optionsFile = getNativeImageOptionsFile()
     if (fs.existsSync(optionsFile)) {