From ca24791267b5655ecb8c6d53b718cf79212307a3 Mon Sep 17 00:00:00 2001 From: Chao Wang Date: Thu, 13 Nov 2025 14:59:05 +0800 Subject: [PATCH 1/5] feat: support both exhortignore and trustify-da-ignore --- README.md | 69 ++++++++++++------ .../providers/GoModulesProvider.java | 12 +-- .../trustifyda/providers/GradleProvider.java | 3 +- .../providers/JavaMavenProvider.java | 3 +- .../providers/JavaScriptProvider.java | 14 ---- .../providers/PythonPipProvider.java | 3 +- .../providers/javascript/model/Manifest.java | 14 ++-- .../utils/IgnorePatternDetector.java | 64 ++++++++++++++++ .../utils/IgnorePatternDetectorTest.java | 73 +++++++++++++++++++ 9 files changed, 204 insertions(+), 51 deletions(-) create mode 100644 src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java create mode 100644 src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java diff --git a/README.md b/README.md index 1b3f80c4..415cf028 100644 --- a/README.md +++ b/README.md @@ -177,7 +177,7 @@ public class TrustifyExample {

Excluding Packages

-Excluding a package from any analysis can be achieved by marking the package for exclusion. +Excluding a package from any analysis can be achieved by marking the package for exclusion using either the trustify-da-ignore syntax or the legacy exhortignore.

- -All of the 5 above examples are valid for marking a package to be ignored + +#### Migration from exhortignore to trustify-da-ignore +Both `exhortignore` and `trustify-da-ignore` patterns work identically and can be used interchangeably. The `trustify-da-ignore` syntax is recommended for new projects, while `exhortignore` continues to be supported for backwards compatibility. You can gradually migrate your projects or use both patterns in the same manifest. #### Ignore Strategies - experimental - You can specify the method to ignore dependencies in manifest (globally), by setting the environment variable `TRUSTIFY_DA_IGNORE_METHOD` to one of the following values: \ - **_Possible values:_** -- `insensitive` - ignoring the dependency and all of its subtree(all transitives) - default. -- `sensitive` - ignoring the dependency but let its transitives remain if they are also transitive of another dependency in the tree or if they're direct dependency of root in the dependency tree. - - +You can specify the method to ignore dependencies in manifest (globally), by setting the environment variable `TRUSTIFY_DA_IGNORE_METHOD` to one of the following values: - +**Possible values:** +- `insensitive` - ignoring the dependency and all of its subtree(all transitives) - default. +- `sensitive` - ignoring the dependency but let its transitives remain if they are also transitive of another dependency in the tree or if they're direct dependency of root in the dependency tree.

Customization

diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/GoModulesProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/GoModulesProvider.java index 2e71cb8b..32747aca 100644 --- a/src/main/java/io/github/guacsec/trustifyda/providers/GoModulesProvider.java +++ b/src/main/java/io/github/guacsec/trustifyda/providers/GoModulesProvider.java @@ -28,6 +28,7 @@ import io.github.guacsec.trustifyda.tools.Ecosystem.Type; import io.github.guacsec.trustifyda.tools.Operations; import io.github.guacsec.trustifyda.utils.Environment; +import io.github.guacsec.trustifyda.utils.IgnorePatternDetector; import io.github.guacsec.trustifyda.vcs.GitVersionControlSystemImpl; import io.github.guacsec.trustifyda.vcs.TagInfo; import io.github.guacsec.trustifyda.vcs.VersionControlSystem; @@ -459,15 +460,16 @@ private String extractPackageName(String line) { public boolean IgnoredLine(String line) { boolean result = false; - if (line.contains("exhortignore")) { - // if exhortignore is alone in a comment or is in a comment together with indirect or as a + if (IgnorePatternDetector.containsIgnorePattern(line)) { + // if exhortignore or trustify-da-ignore is alone in a comment or is in a comment together + // with indirect or as a // comment inside a // comment ( e.g // indirect //exhort) // then this line is to be checked if it's a comment after a package name. - if (Pattern.matches(".+//\\s*exhortignore", line) - || Pattern.matches(".+//\\sindirect (//)?\\s*exhortignore", line)) { + if (Pattern.matches(".+//\\s*(exhortignore|trustify-da-ignore)", line) + || Pattern.matches(".+//\\sindirect (//)?\\s*(exhortignore|trustify-da-ignore)", line)) { String trimmedRow = line.trim(); - // filter out lines where exhortignore has no meaning + // filter out lines where exhortignore or trustify-da-ignore has no meaning if (!trimmedRow.startsWith("module ") && !trimmedRow.startsWith("go ") && !trimmedRow.startsWith("require (") diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/GradleProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/GradleProvider.java index d4c11895..8ca4ef61 100644 --- a/src/main/java/io/github/guacsec/trustifyda/providers/GradleProvider.java +++ b/src/main/java/io/github/guacsec/trustifyda/providers/GradleProvider.java @@ -27,6 +27,7 @@ import io.github.guacsec.trustifyda.sbom.SbomFactory; import io.github.guacsec.trustifyda.tools.Ecosystem.Type; import io.github.guacsec.trustifyda.tools.Operations; +import io.github.guacsec.trustifyda.utils.IgnorePatternDetector; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; @@ -202,7 +203,7 @@ private boolean depHasLibsNotation(String depToBeIgnored) { } private boolean isIgnoredLine(String line) { - return line.contains("exhortignore"); + return IgnorePatternDetector.containsIgnorePattern(line); } private String extractPackageName(String line) { diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java index 5e2192ec..08b0961a 100644 --- a/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java +++ b/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java @@ -28,6 +28,7 @@ import io.github.guacsec.trustifyda.tools.Ecosystem.Type; import io.github.guacsec.trustifyda.tools.Operations; import io.github.guacsec.trustifyda.utils.Environment; +import io.github.guacsec.trustifyda.utils.IgnorePatternDetector; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; @@ -277,7 +278,7 @@ private List getDependencies(final Path manifestPath) thro if (!Objects.isNull(dependencyAggregator)) { // if we hit an ignore comment, mark aggregator to be ignored if (reader.getEventType() == XMLStreamConstants.COMMENT - && "exhortignore".equals(reader.getText().strip())) { + && IgnorePatternDetector.isIgnoreComment(reader.getText())) { dependencyAggregator.ignored = true; continue; } diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/JavaScriptProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/JavaScriptProvider.java index 64aac6ea..85c968f9 100644 --- a/src/main/java/io/github/guacsec/trustifyda/providers/JavaScriptProvider.java +++ b/src/main/java/io/github/guacsec/trustifyda/providers/JavaScriptProvider.java @@ -36,10 +36,8 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; -import java.util.ArrayList; import java.util.Collections; import java.util.Iterator; -import java.util.List; import java.util.Map; import java.util.Map.Entry; import java.util.TreeMap; @@ -240,18 +238,6 @@ protected String parseDepTreeOutput(String output) { return output; } - protected List getIgnoredDeps(JsonNode manifest) { - var ignored = new ArrayList(); - var ignoredNode = manifest.withArray("exhortignore"); - if (ignoredNode == null) { - return ignored; - } - for (JsonNode n : ignoredNode) { - ignored.add(n.asText()); - } - return ignored; - } - protected Map getExecEnv() { String pathEnv = Environment.get(pathEnv()); if (pathEnv != null && !pathEnv.isBlank()) { diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java index c1bffb88..23249208 100644 --- a/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java +++ b/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java @@ -29,6 +29,7 @@ import io.github.guacsec.trustifyda.tools.Ecosystem; import io.github.guacsec.trustifyda.tools.Operations; import io.github.guacsec.trustifyda.utils.Environment; +import io.github.guacsec.trustifyda.utils.IgnorePatternDetector; import io.github.guacsec.trustifyda.utils.PythonControllerBase; import io.github.guacsec.trustifyda.utils.PythonControllerRealEnv; import io.github.guacsec.trustifyda.utils.PythonControllerVirtualEnv; @@ -173,7 +174,7 @@ private Set getIgnoredDependencies(String requirementsDeps) { String[] requirementsLines = requirementsDeps.split(System.lineSeparator()); Set collected = Arrays.stream(requirementsLines) - .filter(line -> line.contains("#exhortignore") || line.contains("# exhortignore")) + .filter(IgnorePatternDetector::containsPythonIgnorePattern) .map(PythonPipProvider::extractDepFull) .map(this::splitToNameVersion) .map(dep -> toPurl(dep[0], dep[1])) diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java b/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java index 87a26703..aedda56c 100644 --- a/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java +++ b/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java @@ -70,12 +70,16 @@ private Set loadDependencies(JsonNode content) { private Set loadIgnored(JsonNode content) { var names = new HashSet(); if (content != null) { - var ignore = (ArrayNode) content.get("exhortignore"); - if (ignore == null || ignore.isEmpty()) { - return Collections.emptySet(); - } + processIgnoreArray(content, "exhortignore", names); + processIgnoreArray(content, "trustify-da-ignore", names); + } + return names.isEmpty() ? Collections.emptySet() : Collections.unmodifiableSet(names); + } + + private void processIgnoreArray(JsonNode content, String key, Set names) { + var ignore = (ArrayNode) content.get(key); + if (ignore != null && !ignore.isEmpty()) { ignore.forEach(n -> names.add(n.asText())); } - return Collections.unmodifiableSet(names); } } diff --git a/src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java b/src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java new file mode 100644 index 00000000..6ca1c522 --- /dev/null +++ b/src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java @@ -0,0 +1,64 @@ +/* + * Copyright 2023-2025 Trustify Dependency Analytics Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.github.guacsec.trustifyda.utils; + +/** + * Utility class for detecting ignore patterns in dependency manifests. Supports both legacy + * 'exhortignore' and new 'trustify-da-ignore' patterns for backwards compatibility. + */ +public class IgnorePatternDetector { + + public static final String LEGACY_IGNORE_PATTERN = "exhortignore"; + public static final String NEW_IGNORE_PATTERN = "trustify-da-ignore"; + + /** + * Checks if a text line contains any ignore pattern (exhortignore or trustify-da-ignore). Used + * for inline comment detection in requirements.txt, go.mod, build.gradle, etc. + * + * @param text the text to check + * @return true if the text contains any ignore pattern + */ + public static boolean containsIgnorePattern(String text) { + return text.contains(LEGACY_IGNORE_PATTERN) || text.contains(NEW_IGNORE_PATTERN); + } + + /** + * Checks if a comment text exactly matches an ignore pattern. Used for XML comment detection in + * pom.xml files. + * + * @param commentText the comment text to check (will be stripped of whitespace) + * @return true if the comment exactly matches an ignore pattern + */ + public static boolean isIgnoreComment(String commentText) { + String stripped = commentText.strip(); + return LEGACY_IGNORE_PATTERN.equals(stripped) || NEW_IGNORE_PATTERN.equals(stripped); + } + + /** + * Checks if a text line contains a Python pip ignore pattern. Handles both '#exhortignore' and + * '#trustify-da-ignore' with optional spacing. + * + * @param line the line to check + * @return true if the line contains a Python pip ignore pattern + */ + public static boolean containsPythonIgnorePattern(String line) { + return line.contains("#" + LEGACY_IGNORE_PATTERN) + || line.contains("# " + LEGACY_IGNORE_PATTERN) + || line.contains("#" + NEW_IGNORE_PATTERN) + || line.contains("# " + NEW_IGNORE_PATTERN); + } +} diff --git a/src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java b/src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java new file mode 100644 index 00000000..178e156e --- /dev/null +++ b/src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java @@ -0,0 +1,73 @@ +/* + * Copyright 2023-2025 Trustify Dependency Analytics Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.github.guacsec.trustifyda.utils; + +import static org.junit.jupiter.api.Assertions.*; + +import org.junit.jupiter.api.Test; + +public class IgnorePatternDetectorTest { + + @Test + void testContainsIgnorePattern() { + // Test legacy exhortignore + assertTrue(IgnorePatternDetector.containsIgnorePattern("some line //exhortignore")); + assertTrue(IgnorePatternDetector.containsIgnorePattern("exhortignore")); + + // Test new trustify-da-ignore + assertTrue(IgnorePatternDetector.containsIgnorePattern("some line //trustify-da-ignore")); + assertTrue(IgnorePatternDetector.containsIgnorePattern("trustify-da-ignore")); + + // Test negative cases + assertFalse(IgnorePatternDetector.containsIgnorePattern("normal line")); + assertFalse(IgnorePatternDetector.containsIgnorePattern("ignore but not the right pattern")); + } + + @Test + void testIsIgnoreComment() { + // Test legacy exhortignore + assertTrue(IgnorePatternDetector.isIgnoreComment("exhortignore")); + assertTrue(IgnorePatternDetector.isIgnoreComment(" exhortignore ")); + + // Test new trustify-da-ignore + assertTrue(IgnorePatternDetector.isIgnoreComment("trustify-da-ignore")); + assertTrue(IgnorePatternDetector.isIgnoreComment(" trustify-da-ignore ")); + + // Test negative cases + assertFalse(IgnorePatternDetector.isIgnoreComment("not an ignore comment")); + assertFalse(IgnorePatternDetector.isIgnoreComment("exhortignore extra")); + assertFalse(IgnorePatternDetector.isIgnoreComment("prefix exhortignore")); + } + + @Test + void testContainsPythonIgnorePattern() { + // Test legacy exhortignore patterns + assertTrue(IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 #exhortignore")); + assertTrue(IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 # exhortignore")); + + // Test new trustify-da-ignore patterns + assertTrue( + IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 #trustify-da-ignore")); + assertTrue( + IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 # trustify-da-ignore")); + + // Test negative cases + assertFalse(IgnorePatternDetector.containsPythonIgnorePattern("package==1.0")); + assertFalse( + IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 # some other comment")); + } +} From 51f614aa709c2c3cabd249235ad9bdfc864a72ff Mon Sep 17 00:00:00 2001 From: Chao Wang Date: Thu, 13 Nov 2025 14:59:46 +0800 Subject: [PATCH 2/5] feat: update tests for trustify-da-ignore --- .../tst_manifests/golang/go_mod_with_all_ignore/go.mod | 8 ++++---- .../tst_manifests/golang/go_mod_with_ignore/go.mod | 6 +++--- .../golang/go_mod_with_one_ignored_prefix_go/go.mod | 2 +- .../deps_with_ignore_full_specification/build.gradle | 2 +- .../deps_with_ignore_named_params/build.gradle | 2 +- .../gradle-groovy/deps_with_ignore_notations/build.gradle | 2 +- .../deps_with_ignore_full_specification/build.gradle.kts | 2 +- .../deps_with_ignore_named_params/build.gradle.kts | 2 +- .../deps_with_ignore_notations/build.gradle.kts | 2 +- .../maven/deps_no_trivial_with_ignore/pom.xml | 2 +- .../maven/deps_with_ignore_on_artifact/pom.xml | 2 +- .../maven/deps_with_ignore_on_dependency/pom.xml | 2 +- .../tst_manifests/maven/deps_with_ignore_on_group/pom.xml | 2 +- .../maven/deps_with_ignore_on_version/pom.xml | 2 +- .../tst_manifests/maven/deps_with_ignore_on_wrong/pom.xml | 2 +- .../tst_manifests/npm/deps_with_ignore/package.json | 2 +- .../pip/pip_requirements_txt_ignore/requirements.txt | 4 ++-- .../tst_manifests/pnpm/deps_with_ignore/package.json | 2 +- .../yarn-berry/deps_with_ignore/package.json | 2 +- .../yarn-classic/deps_with_ignore/package.json | 2 +- 20 files changed, 26 insertions(+), 26 deletions(-) diff --git a/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod b/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod index b5f5eb21..062b0bbe 100644 --- a/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod +++ b/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod @@ -6,8 +6,8 @@ require( github.com/labstack/echo/v4 v4.1.18-0.20201215153152-4422e3b66b9f //exhortignore github.com/russellhaering/goxmldsig v1.1.0 //exhortignore github.com/gin-gonic/gin v1.6.0 //exhortignore - github.com/miekg/dns v1.0.4-0.20180125103619-43913f2f4fbd //exhortignore - github.com/ipld/go-car v0.3.0 //exhortignore - go.elastic.co/apm v1.11.0 //exhortignore - gopkg.in/yaml.v3 v3.0.0-20220521103104-8f96da9f5d5e //exhortignore + github.com/miekg/dns v1.0.4-0.20180125103619-43913f2f4fbd //trustify-da-ignore + github.com/ipld/go-car v0.3.0 //trustify-da-ignore + go.elastic.co/apm v1.11.0 //trustify-da-ignore + gopkg.in/yaml.v3 v3.0.0-20220521103104-8f96da9f5d5e //trustify-da-ignore ) diff --git a/src/test/resources/tst_manifests/golang/go_mod_with_ignore/go.mod b/src/test/resources/tst_manifests/golang/go_mod_with_ignore/go.mod index 7ee7a08f..48fc55c3 100644 --- a/src/test/resources/tst_manifests/golang/go_mod_with_ignore/go.mod +++ b/src/test/resources/tst_manifests/golang/go_mod_with_ignore/go.mod @@ -5,7 +5,7 @@ go 1.19 require ( github.com/gin-gonic/gin v1.9.1 github.com/google/uuid v1.1.2 - github.com/jessevdk/go-flags v1.5.0 //exhortignore + github.com/jessevdk/go-flags v1.5.0 //trustify-da-ignore github.com/kr/pretty v0.3.1 gopkg.in/yaml.v2 v2.4.0 k8s.io/apimachinery v0.26.1 @@ -15,13 +15,13 @@ require ( require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful/v3 v3.9.0 // indirect - github.com/go-logr/logr v1.2.3 // indirect exhortignore + github.com/go-logr/logr v1.2.3 // indirect trustify-da-ignore github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/swag v0.19.14 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.2 // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect //exhortignore + github.com/google/gnostic v0.5.7-v3refs // indirect //trustify-da-ignore github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.1.0 // indirect github.com/imdario/mergo v0.3.6 // indirect diff --git a/src/test/resources/tst_manifests/golang/go_mod_with_one_ignored_prefix_go/go.mod b/src/test/resources/tst_manifests/golang/go_mod_with_one_ignored_prefix_go/go.mod index f8e29c7e..1692460d 100644 --- a/src/test/resources/tst_manifests/golang/go_mod_with_one_ignored_prefix_go/go.mod +++ b/src/test/resources/tst_manifests/golang/go_mod_with_one_ignored_prefix_go/go.mod @@ -11,5 +11,5 @@ require( github.com/miekg/dns v1.0.4-0.20180125103619-43913f2f4fbd github.com/ipld/go-car v0.3.0 go.elastic.co/apm v1.11.0 - gopkg.in/yaml.v3 v3.0.0-20220521103104-8f96da9f5d5e //exhortignore + gopkg.in/yaml.v3 v3.0.0-20220521103104-8f96da9f5d5e //trustify-da-ignore ) diff --git a/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_full_specification/build.gradle b/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_full_specification/build.gradle index 30c88ff1..1950b4c0 100644 --- a/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_full_specification/build.gradle +++ b/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_full_specification/build.gradle @@ -21,7 +21,7 @@ dependencies { implementation "jakarta.validation:jakarta.validation-api:2.0.2" implementation "io.quarkus:quarkus-resteasy-multipart:2.13.7.Final" implementation "io.quarkus:quarkus-hibernate-orm-deployment:2.0.2.Final" - implementation "log4j:log4j:1.2.17" // exhortignore + implementation "log4j:log4j:1.2.17" // trustify-da-ignore } test { useJUnitPlatform() diff --git a/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_named_params/build.gradle b/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_named_params/build.gradle index a2a7a951..fed76d61 100644 --- a/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_named_params/build.gradle +++ b/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_named_params/build.gradle @@ -21,7 +21,7 @@ dependencies { implementation "jakarta.validation:jakarta.validation-api:2.0.2" implementation "io.quarkus:quarkus-resteasy-multipart:2.13.7.Final" implementation "io.quarkus:quarkus-hibernate-orm-deployment:2.0.2.Final" - implementation group: 'log4j', name: 'log4j', version: '1.2.17' // exhortignore + implementation group: 'log4j', name: 'log4j', version: '1.2.17' // trustify-da-ignore implementation "com.acme:invented.dependency:1.0.0" } diff --git a/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_notations/build.gradle b/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_notations/build.gradle index 4d6ad79f..8c0d7caf 100644 --- a/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_notations/build.gradle +++ b/src/test/resources/tst_manifests/gradle-groovy/deps_with_ignore_notations/build.gradle @@ -32,7 +32,7 @@ dependencies { api libs.io.quarkus.quarkus.container.image.docker api libs.jakarta.validation.jakarta.validation.api api libs.io.quarkus.quarkus.vertx.http - api libs.log4j // exhortignore + api libs.log4j // trustify-da-ignore compileOnly libs.io.quarkus.quarkus.hibernate.orm.deployment } diff --git a/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_full_specification/build.gradle.kts b/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_full_specification/build.gradle.kts index 1ec47a09..e0ce97e8 100644 --- a/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_full_specification/build.gradle.kts +++ b/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_full_specification/build.gradle.kts @@ -21,7 +21,7 @@ dependencies { implementation("jakarta.validation:jakarta.validation-api:2.0.2") implementation("io.quarkus:quarkus-resteasy-multipart:2.13.7.Final") implementation("io.quarkus:quarkus-hibernate-orm-deployment:2.0.2.Final") - implementation("log4j:log4j:1.2.17") // exhortignore + implementation("log4j:log4j:1.2.17") // trustify-da-ignore } tasks.test { useJUnitPlatform() diff --git a/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_named_params/build.gradle.kts b/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_named_params/build.gradle.kts index 8b207180..4bebee08 100644 --- a/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_named_params/build.gradle.kts +++ b/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_named_params/build.gradle.kts @@ -21,7 +21,7 @@ dependencies { implementation("jakarta.validation:jakarta.validation-api:2.0.2") implementation("io.quarkus:quarkus-resteasy-multipart:2.13.7.Final") implementation("io.quarkus:quarkus-hibernate-orm-deployment:2.0.2.Final") - implementation(group: "log4j", name: "log4j", version: "1.2.17") // exhortignore + implementation(group: "log4j", name: "log4j", version: "1.2.17") // trustify-da-ignore implementation("com.acme:invented.dependency:1.0.0") } diff --git a/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_notations/build.gradle.kts b/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_notations/build.gradle.kts index 08f09a89..76bd1924 100644 --- a/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_notations/build.gradle.kts +++ b/src/test/resources/tst_manifests/gradle-kotlin/deps_with_ignore_notations/build.gradle.kts @@ -32,7 +32,7 @@ dependencies { api(libs.io.quarkus.quarkus.container.image.docker) api(libs.jakarta.validation.jakarta.validation.api) api(libs.io.quarkus.quarkus.vertx.http) - api(libs.log4j) // exhortignore + api(libs.log4j) // trustify-da-ignore compileOnly(libs.io.quarkus.quarkus.hibernate.orm.deployment) } diff --git a/src/test/resources/tst_manifests/maven/deps_no_trivial_with_ignore/pom.xml b/src/test/resources/tst_manifests/maven/deps_no_trivial_with_ignore/pom.xml index 94064ed8..369b4225 100644 --- a/src/test/resources/tst_manifests/maven/deps_no_trivial_with_ignore/pom.xml +++ b/src/test/resources/tst_manifests/maven/deps_no_trivial_with_ignore/pom.xml @@ -35,7 +35,7 @@ io.quarkus - quarkus-jdbc-postgresql + quarkus-jdbc-postgresql 2.13.6.Final diff --git a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_artifact/pom.xml b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_artifact/pom.xml index bd742a1c..39aee032 100644 --- a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_artifact/pom.xml +++ b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_artifact/pom.xml @@ -10,7 +10,7 @@ log4j - log4j + log4j 1.2.17 diff --git a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_dependency/pom.xml b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_dependency/pom.xml index 5440b066..1c7804d1 100644 --- a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_dependency/pom.xml +++ b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_dependency/pom.xml @@ -8,7 +8,7 @@ 0.0.1 - + log4j log4j 1.2.17 diff --git a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_group/pom.xml b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_group/pom.xml index 6b518d56..5b61c71b 100644 --- a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_group/pom.xml +++ b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_group/pom.xml @@ -9,7 +9,7 @@ - log4j + log4j log4j 1.2.17 diff --git a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_version/pom.xml b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_version/pom.xml index afa4249b..40cdfa64 100644 --- a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_version/pom.xml +++ b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_version/pom.xml @@ -11,7 +11,7 @@ log4j log4j - 1.2.17 + 1.2.17 diff --git a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_wrong/pom.xml b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_wrong/pom.xml index 32797499..bd34e0bb 100644 --- a/src/test/resources/tst_manifests/maven/deps_with_ignore_on_wrong/pom.xml +++ b/src/test/resources/tst_manifests/maven/deps_with_ignore_on_wrong/pom.xml @@ -8,7 +8,7 @@ 0.0.1 - + log4j log4j diff --git a/src/test/resources/tst_manifests/npm/deps_with_ignore/package.json b/src/test/resources/tst_manifests/npm/deps_with_ignore/package.json index 7fabdf57..866478ed 100644 --- a/src/test/resources/tst_manifests/npm/deps_with_ignore/package.json +++ b/src/test/resources/tst_manifests/npm/deps_with_ignore/package.json @@ -26,7 +26,7 @@ "axios": "^0.19.0", "jsdom": "^19.0.0" }, - "exhortignore": [ + "trustify-da-ignore": [ "jsonwebtoken" ] } diff --git a/src/test/resources/tst_manifests/pip/pip_requirements_txt_ignore/requirements.txt b/src/test/resources/tst_manifests/pip/pip_requirements_txt_ignore/requirements.txt index 923fd84f..b2d9e01f 100644 --- a/src/test/resources/tst_manifests/pip/pip_requirements_txt_ignore/requirements.txt +++ b/src/test/resources/tst_manifests/pip/pip_requirements_txt_ignore/requirements.txt @@ -3,7 +3,7 @@ asgiref==3.4.1 beautifulsoup4==4.12.2 certifi==2023.7.22 chardet==4.0.0 -click==8.0.4 #exhortignore +click==8.0.4 #trustify-da-ignore contextlib2==21.6.0 fastapi==0.75.1 Flask==2.0.3 @@ -14,7 +14,7 @@ importlib-metadata==4.8.3 itsdangerous==2.0.1 Jinja2==3.0.3 MarkupSafe==2.0.1 -pydantic==1.9.2 # exhortignore +pydantic==1.9.2 # trustify-da-ignore requests==2.25.1 six==1.16.0 sniffio==1.2.0 diff --git a/src/test/resources/tst_manifests/pnpm/deps_with_ignore/package.json b/src/test/resources/tst_manifests/pnpm/deps_with_ignore/package.json index c70814f9..0adaa772 100644 --- a/src/test/resources/tst_manifests/pnpm/deps_with_ignore/package.json +++ b/src/test/resources/tst_manifests/pnpm/deps_with_ignore/package.json @@ -26,7 +26,7 @@ "axios": "^0.19.0", "jsdom": "^19.0.0" }, - "exhortignore": [ + "trustify-da-ignore": [ "jsonwebtoken" ], "packageManager": "pnpm@10.8.0+sha512.0e82714d1b5b43c74610193cb20734897c1d00de89d0e18420aebc5977fa13d780a9cb05734624e81ebd81cc876cd464794850641c48b9544326b5622ca29971" diff --git a/src/test/resources/tst_manifests/yarn-berry/deps_with_ignore/package.json b/src/test/resources/tst_manifests/yarn-berry/deps_with_ignore/package.json index 003db0f3..231448f8 100644 --- a/src/test/resources/tst_manifests/yarn-berry/deps_with_ignore/package.json +++ b/src/test/resources/tst_manifests/yarn-berry/deps_with_ignore/package.json @@ -26,7 +26,7 @@ "mongoose": "^5.9.18", "nodemon": "^2.0.4" }, - "exhortignore": [ + "trustify-da-ignore": [ "jsonwebtoken" ], "packageManager": "yarn@4.9.1" diff --git a/src/test/resources/tst_manifests/yarn-classic/deps_with_ignore/package.json b/src/test/resources/tst_manifests/yarn-classic/deps_with_ignore/package.json index 69239a26..4886dcc4 100644 --- a/src/test/resources/tst_manifests/yarn-classic/deps_with_ignore/package.json +++ b/src/test/resources/tst_manifests/yarn-classic/deps_with_ignore/package.json @@ -26,7 +26,7 @@ "axios": "^0.19.0", "jsdom": "^19.0.0" }, - "exhortignore": [ + "trustify-da-ignore": [ "jsonwebtoken" ], "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e" From 5b5e708e78548c0373d0e324f5f09796d7ced66f Mon Sep 17 00:00:00 2001 From: Chao Wang Date: Fri, 14 Nov 2025 20:58:43 +0800 Subject: [PATCH 3/5] fix: typo fix --- catalog-info.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/catalog-info.yaml b/catalog-info.yaml index 5ef62924..c30e46cf 100644 --- a/catalog-info.yaml +++ b/catalog-info.yaml @@ -2,7 +2,7 @@ apiVersion: backstage.io/v1alpha1 kind: Component metadata: annotations: - backstage.io/kuberqnetes-id: trustify-da-java-client + backstage.io/kubernetes-id: trustify-da-java-client github.com/project-slug: guacsec/trustify-da-java-client github.com/project-readme-path: README.md backstage.io/view-url: https://github.com/guacsec/trustify-da-java-client/blob/main/catalog-info.yaml From 0b58a723381f0d1839128602d51358e5a0ccdc8a Mon Sep 17 00:00:00 2001 From: Chao Wang Date: Fri, 14 Nov 2025 20:01:54 +0800 Subject: [PATCH 4/5] fix: fix README.md, rename to IGNORE_PATTERN and update IgnorePatternDetector --- README.md | 31 ++++---- .../providers/JavaMavenProvider.java | 15 +++- .../providers/PythonPipProvider.java | 16 +++- .../providers/javascript/model/Manifest.java | 24 +++--- .../utils/IgnorePatternDetector.java | 30 +------- .../utils/IgnorePatternDetectorTest.java | 73 ------------------- .../golang/go_mod_with_all_ignore/go.mod | 6 +- 7 files changed, 59 insertions(+), 136 deletions(-) delete mode 100644 src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java diff --git a/README.md b/README.md index 415cf028..4780e1f0 100644 --- a/README.md +++ b/README.md @@ -177,7 +177,10 @@ public class TrustifyExample {

Excluding Packages

-Excluding a package from any analysis can be achieved by marking the package for exclusion using either the trustify-da-ignore syntax or the legacy exhortignore. +Excluding a package from any analysis can be achieved by marking the package for exclusion using either the trustify-da-ignore syntax. + +Although both `trustify-da-ignore` and `exhortignore` patterns work identically and can be used interchangeably. The `trustify-da-ignore` syntax is recommended for new projects, while `exhortignore` continues to be supported for backwards compatibility. You can gradually migrate your projects or use both patterns in the same manifest. +

-#### Migration from exhortignore to trustify-da-ignore -Both `exhortignore` and `trustify-da-ignore` patterns work identically and can be used interchangeably. The `trustify-da-ignore` syntax is recommended for new projects, while `exhortignore` continues to be supported for backwards compatibility. You can gradually migrate your projects or use both patterns in the same manifest. - #### Ignore Strategies - experimental You can specify the method to ignore dependencies in manifest (globally), by setting the environment variable `TRUSTIFY_DA_IGNORE_METHOD` to one of the following values: diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java index 08b0961a..424c2d0a 100644 --- a/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java +++ b/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java @@ -278,7 +278,7 @@ private List getDependencies(final Path manifestPath) thro if (!Objects.isNull(dependencyAggregator)) { // if we hit an ignore comment, mark aggregator to be ignored if (reader.getEventType() == XMLStreamConstants.COMMENT - && IgnorePatternDetector.isIgnoreComment(reader.getText())) { + && isIgnoreComment(reader.getText())) { dependencyAggregator.ignored = true; continue; } @@ -492,4 +492,17 @@ public static String normalizePath(String thePath) { } return result; } + + /** + * Checks if a comment text exactly matches an ignore pattern. Used for XML comment detection in + * pom.xml files. + * + * @param commentText the comment text to check (will be stripped of whitespace) + * @return true if the comment exactly matches an ignore pattern + */ + private boolean isIgnoreComment(String commentText) { + String stripped = commentText.strip(); + return IgnorePatternDetector.IGNORE_PATTERN.equals(stripped) + || IgnorePatternDetector.LEGACY_IGNORE_PATTERN.equals(stripped); + } } diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java index 23249208..c11c9bb5 100644 --- a/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java +++ b/src/main/java/io/github/guacsec/trustifyda/providers/PythonPipProvider.java @@ -169,12 +169,26 @@ private void handleIgnoredDependencies(String manifestContent, Sbom sbom) { } } + /** + * Checks if a text line contains a Python pip ignore pattern. Handles both '#exhortignore' and + * '#trustify-da-ignore' with optional spacing. + * + * @param line the line to check + * @return true if the line contains a Python pip ignore pattern + */ + private boolean containsPythonIgnorePattern(String line) { + return line.contains("#" + IgnorePatternDetector.IGNORE_PATTERN) + || line.contains("# " + IgnorePatternDetector.IGNORE_PATTERN) + || line.contains("#" + IgnorePatternDetector.LEGACY_IGNORE_PATTERN) + || line.contains("# " + IgnorePatternDetector.LEGACY_IGNORE_PATTERN); + } + private Set getIgnoredDependencies(String requirementsDeps) { String[] requirementsLines = requirementsDeps.split(System.lineSeparator()); Set collected = Arrays.stream(requirementsLines) - .filter(IgnorePatternDetector::containsPythonIgnorePattern) + .filter(this::containsPythonIgnorePattern) .map(PythonPipProvider::extractDepFull) .map(this::splitToNameVersion) .map(dep -> toPurl(dep[0], dep[1])) diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java b/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java index aedda56c..2be133d0 100644 --- a/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java +++ b/src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java @@ -18,9 +18,9 @@ import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; -import com.fasterxml.jackson.databind.node.ArrayNode; import com.github.packageurl.PackageURL; import io.github.guacsec.trustifyda.providers.JavaScriptProvider; +import io.github.guacsec.trustifyda.utils.IgnorePatternDetector; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; @@ -68,18 +68,18 @@ private Set loadDependencies(JsonNode content) { } private Set loadIgnored(JsonNode content) { - var names = new HashSet(); - if (content != null) { - processIgnoreArray(content, "exhortignore", names); - processIgnoreArray(content, "trustify-da-ignore", names); + if (content == null) { + return Collections.emptySet(); } - return names.isEmpty() ? Collections.emptySet() : Collections.unmodifiableSet(names); - } - - private void processIgnoreArray(JsonNode content, String key, Set names) { - var ignore = (ArrayNode) content.get(key); - if (ignore != null && !ignore.isEmpty()) { - ignore.forEach(n -> names.add(n.asText())); + var node = content.get(IgnorePatternDetector.IGNORE_PATTERN); + if (node == null || node.isEmpty()) { + node = content.get(IgnorePatternDetector.LEGACY_IGNORE_PATTERN); + } + if (node != null && !node.isEmpty()) { + var names = new HashSet(); + node.forEach(n -> names.add(n.asText())); + return Collections.unmodifiableSet(names); } + return Collections.emptySet(); } } diff --git a/src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java b/src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java index 6ca1c522..1dfd41b7 100644 --- a/src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java +++ b/src/main/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetector.java @@ -23,7 +23,7 @@ public class IgnorePatternDetector { public static final String LEGACY_IGNORE_PATTERN = "exhortignore"; - public static final String NEW_IGNORE_PATTERN = "trustify-da-ignore"; + public static final String IGNORE_PATTERN = "trustify-da-ignore"; /** * Checks if a text line contains any ignore pattern (exhortignore or trustify-da-ignore). Used @@ -33,32 +33,6 @@ public class IgnorePatternDetector { * @return true if the text contains any ignore pattern */ public static boolean containsIgnorePattern(String text) { - return text.contains(LEGACY_IGNORE_PATTERN) || text.contains(NEW_IGNORE_PATTERN); - } - - /** - * Checks if a comment text exactly matches an ignore pattern. Used for XML comment detection in - * pom.xml files. - * - * @param commentText the comment text to check (will be stripped of whitespace) - * @return true if the comment exactly matches an ignore pattern - */ - public static boolean isIgnoreComment(String commentText) { - String stripped = commentText.strip(); - return LEGACY_IGNORE_PATTERN.equals(stripped) || NEW_IGNORE_PATTERN.equals(stripped); - } - - /** - * Checks if a text line contains a Python pip ignore pattern. Handles both '#exhortignore' and - * '#trustify-da-ignore' with optional spacing. - * - * @param line the line to check - * @return true if the line contains a Python pip ignore pattern - */ - public static boolean containsPythonIgnorePattern(String line) { - return line.contains("#" + LEGACY_IGNORE_PATTERN) - || line.contains("# " + LEGACY_IGNORE_PATTERN) - || line.contains("#" + NEW_IGNORE_PATTERN) - || line.contains("# " + NEW_IGNORE_PATTERN); + return text.contains(LEGACY_IGNORE_PATTERN) || text.contains(IGNORE_PATTERN); } } diff --git a/src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java b/src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java deleted file mode 100644 index 178e156e..00000000 --- a/src/test/java/io/github/guacsec/trustifyda/utils/IgnorePatternDetectorTest.java +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright 2023-2025 Trustify Dependency Analytics Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package io.github.guacsec.trustifyda.utils; - -import static org.junit.jupiter.api.Assertions.*; - -import org.junit.jupiter.api.Test; - -public class IgnorePatternDetectorTest { - - @Test - void testContainsIgnorePattern() { - // Test legacy exhortignore - assertTrue(IgnorePatternDetector.containsIgnorePattern("some line //exhortignore")); - assertTrue(IgnorePatternDetector.containsIgnorePattern("exhortignore")); - - // Test new trustify-da-ignore - assertTrue(IgnorePatternDetector.containsIgnorePattern("some line //trustify-da-ignore")); - assertTrue(IgnorePatternDetector.containsIgnorePattern("trustify-da-ignore")); - - // Test negative cases - assertFalse(IgnorePatternDetector.containsIgnorePattern("normal line")); - assertFalse(IgnorePatternDetector.containsIgnorePattern("ignore but not the right pattern")); - } - - @Test - void testIsIgnoreComment() { - // Test legacy exhortignore - assertTrue(IgnorePatternDetector.isIgnoreComment("exhortignore")); - assertTrue(IgnorePatternDetector.isIgnoreComment(" exhortignore ")); - - // Test new trustify-da-ignore - assertTrue(IgnorePatternDetector.isIgnoreComment("trustify-da-ignore")); - assertTrue(IgnorePatternDetector.isIgnoreComment(" trustify-da-ignore ")); - - // Test negative cases - assertFalse(IgnorePatternDetector.isIgnoreComment("not an ignore comment")); - assertFalse(IgnorePatternDetector.isIgnoreComment("exhortignore extra")); - assertFalse(IgnorePatternDetector.isIgnoreComment("prefix exhortignore")); - } - - @Test - void testContainsPythonIgnorePattern() { - // Test legacy exhortignore patterns - assertTrue(IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 #exhortignore")); - assertTrue(IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 # exhortignore")); - - // Test new trustify-da-ignore patterns - assertTrue( - IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 #trustify-da-ignore")); - assertTrue( - IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 # trustify-da-ignore")); - - // Test negative cases - assertFalse(IgnorePatternDetector.containsPythonIgnorePattern("package==1.0")); - assertFalse( - IgnorePatternDetector.containsPythonIgnorePattern("package==1.0 # some other comment")); - } -} diff --git a/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod b/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod index 062b0bbe..e85d70f6 100644 --- a/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod +++ b/src/test/resources/tst_manifests/golang/go_mod_with_all_ignore/go.mod @@ -3,9 +3,9 @@ module github.com/devfile-samples/devfile-sample-go-basic go 1.19 require( - github.com/labstack/echo/v4 v4.1.18-0.20201215153152-4422e3b66b9f //exhortignore - github.com/russellhaering/goxmldsig v1.1.0 //exhortignore - github.com/gin-gonic/gin v1.6.0 //exhortignore + github.com/labstack/echo/v4 v4.1.18-0.20201215153152-4422e3b66b9f //trustify-da-ignore + github.com/russellhaering/goxmldsig v1.1.0 //trustify-da-ignore + github.com/gin-gonic/gin v1.6.0 //trustify-da-ignore github.com/miekg/dns v1.0.4-0.20180125103619-43913f2f4fbd //trustify-da-ignore github.com/ipld/go-car v0.3.0 //trustify-da-ignore go.elastic.co/apm v1.11.0 //trustify-da-ignore From 70d3e1019046b21127199ce861b0ced329d1f043 Mon Sep 17 00:00:00 2001 From: Chao Wang Date: Fri, 14 Nov 2025 21:19:04 +0800 Subject: [PATCH 5/5] fix: formatting issue in README.md --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 4780e1f0..676bf4ad 100644 --- a/README.md +++ b/README.md @@ -34,13 +34,13 @@ encrypted-token-will-appear-here ```xml - ... + github github-userid-goes-here encrypted-token-goes-here-including-curly-brackets - ... + ``` @@ -66,12 +66,12 @@ encrypted-token-will-appear-here ```xml - ... + github https://maven.pkg.github.com/guacsec/trustify-da-java-client - ... + ``` @@ -81,7 +81,7 @@ encrypted-token-will-appear-here ```groovy repositories { - ... + // ... other repositories maven { url 'https://maven.pkg.github.com/guacsec/trustify-da-java-client' credentials { @@ -89,7 +89,7 @@ repositories { password System.getenv("GITHUB_TOKEN") } } - ... + // ... other repositories } ``` @@ -232,7 +232,7 @@ Although both `trustify-da-ignore` and `exhortignore` patterns work identically
  • Golang users can add in go.mod a comment with //trustify-da-ignore next to the package to be ignored, or to "piggyback" on existing comment ( e.g - //indirect) , for example: -```go +```mod module github.com/RHEcosystemAppEng/SaaSi/deployer go 1.19 @@ -330,7 +330,7 @@ You can specify the method to ignore dependencies in manifest (globally), by set There are 2 approaches for customizing Trustify DA Java Client. Using Environment Variables or Java Properties: -```java +```text System.setProperty("TRUSTIFY_DA_MVN_PATH", "/path/to/custom/mvn"); System.setProperty("TRUSTIFY_DA_NPM_PATH", "/path/to/custom/npm"); System.setProperty("TRUSTIFY_DA_PNPM_PATH", "/path/to/custom/pnpm"); @@ -489,7 +489,7 @@ export TRUSTIFY_DA_MVN_LOCAL_REPO=/home/user/custom-maven-repo ``` Using Java properties: -```java +```text System.setProperty("TRUSTIFY_DA_MVN_USER_SETTINGS", "/home/user/.m2/custom-settings.xml"); System.setProperty("TRUSTIFY_DA_MVN_LOCAL_REPO", "/home/user/custom-maven-repo"); ```