Merge pull request #34 from nigredo-tori/33-sbt-1.3.x

Remove hardcoded plugin JAR path
code-star · Nov 22, 2019 · 6ffe087 · 6ffe087
2 parents f1d6bc7 + 974d3fa
commit 6ffe087
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 5 deletions.
diff --git a/build.sbt b/build.sbt
@@ -16,8 +16,6 @@ scriptedLaunchOpts := { scriptedLaunchOpts.value ++
 }
 scriptedBufferLog := false
 
-libraryDependencies += "com.h3xstream.findsecbugs" % "findsecbugs-plugin" % "1.9.0"
-
 bintrayRepository := "sbt-findsecbugs"
 bintrayOrganization := Some("code-star")
 

diff --git a/src/main/scala/nl/codestar/sbtfindsecbugs/FindSecBugs.scala b/src/main/scala/nl/codestar/sbtfindsecbugs/FindSecBugs.scala
@@ -11,6 +11,7 @@ object FindSecBugs extends AutoPlugin {
 
   private val spotbugsVersion = "3.1.12"
   private val findsecbugsPluginVersion = "1.9.0"
+  private val pluginId = "com.h3xstream.findsecbugs" % "findsecbugs-plugin" % findsecbugsPluginVersion
 
   private val FindsecbugsConfig = sbt.config("findsecbugs")
     .describedAs("Classpath configuration for SpotBugs")
@@ -35,7 +36,7 @@ object FindSecBugs extends AutoPlugin {
     ivyConfigurations += FindsecbugsConfig,
     libraryDependencies ++= Seq(
       "com.github.spotbugs" % "spotbugs" % spotbugsVersion % FindsecbugsConfig,
-      "com.h3xstream.findsecbugs" % "findsecbugs-plugin" % findsecbugsPluginVersion % FindsecbugsConfig,
+      pluginId % FindsecbugsConfig,
       "org.slf4j" % "slf4j-simple" % "1.8.0-beta4" % FindsecbugsConfig
     ),
     findSecBugs := (findSecBugsTask tag FindSecBugsTag).value,
@@ -48,12 +49,15 @@ object FindSecBugs extends AutoPlugin {
     lazy val output = (artifactPath in findSecBugs).value
     lazy val classpath = commandLineClasspath((dependencyClasspath in FindsecbugsConfig).value.files)
     lazy val auxClasspath = commandLineClasspath((dependencyClasspath in Compile).value.files)
-    lazy val ivyHome = ivyPaths(_.ivyHome).value.getOrElse(Path.userHome / ".ivy2")
-    lazy val pluginList = s"${ivyHome.absolutePath}/cache/com.h3xstream.findsecbugs/findsecbugs-plugin/jars/findsecbugs-plugin-$findsecbugsPluginVersion.jar"
     lazy val classDirs = (products in Compile).value
     lazy val jHome = javaHome.value
     lazy val excludeFile = findSecBugsExcludeFile.value
 
+    lazy val updateReport = update.value
+    lazy val pluginList: String = findPluginJar(updateReport).getOrElse(
+      sys.error(s"Failed to find resolved JAR for $pluginId")
+    ).getAbsolutePath
+
     IO.createDirectory(output.getParentFile)
     IO.withTemporaryDirectory { tempdir =>
       val includeFile = createIncludesFile(tempdir)
@@ -109,6 +113,17 @@ object FindSecBugs extends AutoPlugin {
     includeFile
   }
 
+  private def findPluginJar(updateReport: UpdateReport): Option[File] =
+    updateReport.configuration(FindsecbugsConfig)
+      .flatMap(_.modules.find { resolvedModule =>
+        // We don't compare the revisions, etc. - resolution can change those.
+        resolvedModule.module.organization == pluginId.organization &&
+        resolvedModule.module.name == pluginId.name
+      })
+      .flatMap(_.artifacts.collectFirst {
+        case (artifact, file) if artifact.`type` == Artifact.DefaultType => file
+      })
+
   /**
     * FindBugs logs everyting to stderr, even when everything was succesful.
     * This logger makes that logging a little bit smarter.

diff --git a/src/sbt-test/test-output/test-sbt-1.3.x/build.sbt b/src/sbt-test/test-output/test-sbt-1.3.x/build.sbt
@@ -0,0 +1,5 @@
+lazy val root = (project in file("."))
+  .settings(
+    version := "0.1",
+    scalaVersion := "2.12.3"
+  )
diff --git a/src/sbt-test/test-output/test-sbt-1.3.x/project/build.properties b/src/sbt-test/test-output/test-sbt-1.3.x/project/build.properties
@@ -0,0 +1 @@
+sbt.version=1.3.3
diff --git a/src/sbt-test/test-output/test-sbt-1.3.x/project/plugins.sbt b/src/sbt-test/test-output/test-sbt-1.3.x/project/plugins.sbt
@@ -0,0 +1,5 @@
+sys.props.get("plugin.version") match {
+  case Some(x) => addSbtPlugin("nl.codestar" % "sbt-findsecbugs" % x)
+  case _ => sys.error("""|The system property 'plugin.version' is not defined.
+                         |Specify this property using the scriptedLaunchOpts -D.""".stripMargin)
+}
diff --git a/src/sbt-test/test-output/test-sbt-1.3.x/src/main/java/Foo.java b/src/sbt-test/test-output/test-sbt-1.3.x/src/main/java/Foo.java
@@ -0,0 +1,7 @@
+class Foo {
+  // Should trigger COMMAND_INJECTION
+  void commandInjection(String input) throws java.io.IOException {
+    Runtime r = Runtime.getRuntime();
+    r.exec("/bin/sh -c some_tool" + input);
+  }
+}
diff --git a/src/sbt-test/test-output/test-sbt-1.3.x/test b/src/sbt-test/test-output/test-sbt-1.3.x/test
@@ -0,0 +1,3 @@
+# We expect this to fail since we have a bug here
+-> findSecBugs
+$ exists target/scala-2.12/findsecbugs/report.html