Feat: Add Nexus IQ scan through REST API

keanjapesan · keanjapesan · commit bdc43273b9fb · 2025-06-06T13:21:01.000-06:00
Additionally convert dep5 config to REUSE.toml as per
reusable-workflows enforces using REUSE.toml from now on.

Signed-off-by: Kevin Sandi &lt;ksandi@contractor.linuxfoundation.org&gt;
Change-Id: I2004c34ebec30bc10b0fce32bf0d9c89374edd8a
diff --git a/.reuse/dep5 b/.reuse/dep5
diff --git a/REUSE.toml b/REUSE.toml
@@ -0,0 +1,73 @@
+version = 1
+
+[[annotations]]
+path = ".github/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = "node_modules/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = "tests/.mypy**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = "tests/__pycache__/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = "relnotes/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = "releasenotes/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = "jjb/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = ".jjb-test/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = "docs/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "CC-BY-4.0"
+
+[[annotations]]
+path = "jenkins-admin/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = "schema/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
+
+[[annotations]]
+path = "reusable-tox-run-action/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2017 The Linux Foundation"
+SPDX-License-Identifier = "EPL-1.0"
diff --git a/docs/jjb/lf-go-jobs.rst b/docs/jjb/lf-go-jobs.rst
@@ -17,7 +17,16 @@ Calls go-test.sh script against a Go project.
 lf-infra-nexus-iq-go-cli
 ------------------------
 
-Calls nexus-iq-go-cli.sh to CLM scan a Go project.
+Calls nexus-iq-go-cli.sh to CLM scan a Go project through CLI.
+
+:Required Parameters:
+
+    :NEXUS_IQ_PROJECT_NAME: Nexus IQ project name that will receive the CLM scan results.
+
+lf-infra-nexus-iq-go-api
+------------------------
+
+Calls nexus-iq-go-api.sh to CLM scan a Go project through REST API.
 
 :Required Parameters:
 
diff --git a/jjb/lf-go-jobs.yaml b/jjb/lf-go-jobs.yaml
@@ -17,6 +17,14 @@
             NEXUS_IQ_PROJECT_NAME={nexus-iq-project-name}
       - shell: !include-raw-escape: ../shell/nexus-iq-go-cli.sh
 
+- builder:
+    name: lf-infra-nexus-iq-go-api
+    builders:
+      - inject:
+          properties-content: |
+            NEXUS_IQ_PROJECT_NAME={nexus-iq-project-name}
+      - shell: !include-raw-escape: ../shell/nexus-iq-go-api.sh
+
 ############
 # WRAPPERS #
 ############
@@ -344,6 +352,7 @@
     git-url: "$GIT_URL/$PROJECT"
     github-url: "https://github.com"
     java-version: openjdk17 # Scanner is a jar
+    nexus-iq-use-cli: true
     nexus-iq-cli-version: 1.185.0-01
     nexus-iq-namespace: "" # Recommend a trailing dash when set. Example: odl-
     nexus-target-build: "go.sum"
@@ -395,8 +404,24 @@
       - lf-update-java-alternatives:
           java-version: "{java-version}"
       - shell: "{pre-build-script}"
-      - lf-infra-nexus-iq-go-cli:
-          nexus-iq-project-name: "{nexus-iq-namespace}{project-name}"
+      # With CLI
+      - conditional-step:
+          condition-kind: boolean-expression
+          condition-expression: "{nexus-iq-use-cli}"
+          steps:
+            - shell: echo 'Using Nexus IQ CLI'
+            - lf-infra-nexus-iq-go-cli:
+                nexus-iq-project-name: "{nexus-iq-namespace}{project-name}"
+      # With REST API
+      - conditional-step:
+          condition-kind: not
+          condition-operand:
+            condition-kind: boolean-expression
+            condition-expression: "{nexus-iq-use-cli}"
+          steps:
+            - shell: echo 'Using Nexus IQ REST API'
+            - lf-infra-nexus-iq-go-api:
+                nexus-iq-project-name: "{nexus-iq-namespace}{project-name}"
 
 - job-template:
     name: "{project-name}-nexus-iq-go-clm-{stream}"
diff --git a/releasenotes/notes/nexus-iq-scan-through-api-336e114fb52f6183.yaml b/releasenotes/notes/nexus-iq-scan-through-api-336e114fb52f6183.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Add support for running Nexus IQ scan through REST API when CLI option
+    is not enough, like when scanning a Golang project which requires
+    scanning the bom.xml file and CLI doesn't support it properly.
diff --git a/shell/nexus-iq-go-api.sh b/shell/nexus-iq-go-api.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2025 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+echo "---> nexus-iq-go-api.sh"
+# This script installs and runs cyclonedx-gomod to generate an SBOM xml
+# for the Go project, then uses Nexus IQ REST API to analyze the Go project
+# dependencies and publishes the result to Nexus IQ server.
+
+# stop on error or unbound variable
+set -eu
+# do not print commands, credentials should not be logged
+set +x
+
+# shellcheck disable=SC1090
+. ~/lf-env.sh
+
+go version
+go mod tidy
+
+echo "INFO: running Nexus IQ scan (through REST API) on project $NEXUS_IQ_PROJECT_NAME and target: bom.xml"
+
+go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
+PATH=$PATH:$(go env GOPATH)/bin
+export PATH
+cyclonedx-gomod mod -output bom.xml -output-version 1.5 # upgrade to latest SBOM schema version when Nexus IQ version >= 180
+
+APP_ID=$(curl -u "${NEXUS_IQ_USER}:${NEXUS_IQ_PASSWORD}" \
+    -X GET "https://nexus-iq.wl.linuxfoundation.org/api/v2/applications?publicId={$NEXUS_IQ_PROJECT_NAME}" \
+    -s \
+    | jq -r ".applications[].id")
+
+curl -u "${NEXUS_IQ_USER}:${NEXUS_IQ_PASSWORD}" \
+    -X POST -H "Content-Type: application/xml" --data "@bom.xml" \
+    "https://nexus-iq.wl.linuxfoundation.org/api/v2/scan/applications/$APP_ID/sources/cyclonedx"
+
+echo "---> nexus-iq-go-api.sh ends"
