Release: 1.5.0

Author: sonatype-zion

action.yml

@@ -44,7 +44,7 @@ runs:
   steps:
     - name: Evaluate
       id: evaluate
-      uses: sonatype/actions/evaluate@v1.4.3
+      uses: sonatype/actions/evaluate@v1.5.0
       with:
         iq-server-url: ${{ inputs.iq-server-url }}
         username: ${{ inputs.username }}

evaluate/action.yml

@@ -139,7 +139,7 @@ runs:
   steps:
     - name: Setup IQ CLI Action
       id: setup-iq-cli
-      uses: sonatype/actions/setup-iq-cli@v1.4.3
+      uses: sonatype/actions/setup-iq-cli@v1.5.0
       with:
         iq-cli-version: 'latest'
 
@@ -150,7 +150,7 @@ runs:
 
     - name: Run IQ CLI Action
       id: run-iq-cli
-      uses: sonatype/actions/run-iq-cli@v1.4.3
+      uses: sonatype/actions/run-iq-cli@v1.5.0
       with:
         iq-cli-version: ${{ steps.setup-iq-cli.outputs.iq-cli-version }}
         username: ${{ inputs.username }}

fetch-sbom/README.md

@@ -71,7 +71,7 @@ jobs:
 
 > **sbom-version**\
 > The version of the SBOM standard.\
-> Available CycloneDX versions: `1.2`, `1.3`, `1.4`, `1.5`, `1.6` (1.6 as default value). Available SPDX versions: `2.3`
+> Available CycloneDX versions: `1.2`, `1.3`, `1.4`, `1.5`, `1.6` (1.6 as default value). Available SPDX versions: `2.2 and 2.3`
 > (2.3 as default value). `Optional`
 
 > **sbom-format**\

fetch-sbom/action.yml

@@ -32,7 +32,7 @@ inputs:
   sbom-version:
     description:
       'The version of the SBOM (- Available CycloneDX Versions: 1.2, 1.3, 1.4, 1.5, 1.6. Default version for CycloneDX
-      is 1.6 - Available SPDX version: 2.3)'
+      is 1.6 - Available SPDX versions: 2.2, 2.3, Default for SPDX is 2.3)'
     required: false
   artifact-name:
     description: 'The name of the artifact to be uploaded.'

fetch-sbom/dist/cleanup/index.js

@@ -25066,6 +25066,16 @@ function getAndValidateInputs() {
     if (!validStandards.includes(sbomStandard)) {
         throw new Error(`Invalid SBOM standard: ${sbomStandard}. Valid options are SPDX or CycloneDX.`);
     }
+    if (sbomVersion) {
+        const supportedCycloneDxVersions = ['1.2', '1.3', '1.4', '1.5', '1.6'];
+        if (sbomStandard.toLowerCase() === constants_1.CYCLONEDX_FORMAT && !supportedCycloneDxVersions.includes(sbomVersion)) {
+            throw new Error(`Supported versions for CycloneDX is: ${supportedCycloneDxVersions}`);
+        }
+        const supportedSpdxVersions = ['2.2', '2.3'];
+        if (sbomStandard.toLowerCase() === constants_1.SPDX_FORMAT && !supportedSpdxVersions.includes(sbomVersion)) {
+            throw new Error(`Supported versions for SPDX is: ${supportedSpdxVersions}`);
+        }
+    }
     if (sbomStandard?.toLowerCase() === constants_1.CYCLONEDX_FORMAT && !sbomVersion) {
         sbomVersion = constants_1.CYCLONEDX_16_VERSION;
     }

fetch-sbom/dist/main/index.js

@@ -119182,6 +119182,16 @@ function getAndValidateInputs() {
     if (!validStandards.includes(sbomStandard)) {
         throw new Error(`Invalid SBOM standard: ${sbomStandard}. Valid options are SPDX or CycloneDX.`);
     }
+    if (sbomVersion) {
+        const supportedCycloneDxVersions = ['1.2', '1.3', '1.4', '1.5', '1.6'];
+        if (sbomStandard.toLowerCase() === constants_1.CYCLONEDX_FORMAT && !supportedCycloneDxVersions.includes(sbomVersion)) {
+            throw new Error(`Supported versions for CycloneDX is: ${supportedCycloneDxVersions}`);
+        }
+        const supportedSpdxVersions = ['2.2', '2.3'];
+        if (sbomStandard.toLowerCase() === constants_1.SPDX_FORMAT && !supportedSpdxVersions.includes(sbomVersion)) {
+            throw new Error(`Supported versions for SPDX is: ${supportedSpdxVersions}`);
+        }
+    }
     if (sbomStandard?.toLowerCase() === constants_1.CYCLONEDX_FORMAT && !sbomVersion) {
         sbomVersion = constants_1.CYCLONEDX_16_VERSION;
     }
@@ -143692,7 +143702,7 @@ module.exports = index;
 /***/ ((module) => {
 
 "use strict";
-module.exports = JSON.parse('{"name":"fetch-sbom","description":"GitHub Action for obtaining an SBOM","version":"1.4.3","author":"sonatype","private":true,"homepage":"https://github.com/sonatype/actions/fetch-sbom","repository":{"type":"git","url":"git+https://github.com/sonatype/actions/fetch-sbom.git"},"bugs":{"url":"https://github.com/sonatype/actions/fetch-sbom/issues"},"keywords":["actions","node","setup"],"exports":{".":"./dist/index.js"},"engines":{"node":">=20"},"scripts":{"bundle":"npm run format:write && npm run package","ci-test":"npx jest","coverage":"npx make-coverage-badge --output-path ./badges/coverage.svg","format:write":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --write .","format:check":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --check .","lint":"npx eslint . -c ../.github/linters/.eslintrc.yml --ignore-path ../.eslintignore","package":"npx ncc build src/index.ts -o dist/main --license licenses.txt && npx ncc build src/cleanup.ts -o dist/cleanup --license licenses.txt","package:watch":"npm run package -- --watch","test":"npx jest","all":"npm run format:write && npm run lint && npm run test && npm run coverage && npm run package"},"license":"SEE LICENSE IN LICENSE","jest":{"preset":"ts-jest","verbose":true,"clearMocks":true,"testEnvironment":"node","moduleFileExtensions":["js","ts"],"testMatch":["**/*.test.ts"],"testPathIgnorePatterns":["/node_modules/","/dist/"],"transform":{"^.+\\\\.ts$":"ts-jest"},"coverageReporters":["json-summary","text","lcov"],"collectCoverage":true,"collectCoverageFrom":["./src/**"],"reporters":["default",["jest-junit",{"suiteName":"fetch-sbom unit tests","titleTemplate":"{title}","outputName":"fetch-sbom-test-results.xml","ancestorSeparator":" > "}]]},"dependencies":{"@actions/artifact":"^2.1.7","@actions/github":"^6.0.0","@actions/tool-cache":"^2.0.1","@github/dependency-submission-toolkit":"^2.0.4","axios":"^1.7.2"}}');
+module.exports = JSON.parse('{"name":"fetch-sbom","description":"GitHub Action for obtaining an SBOM","version":"1.5.0","author":"sonatype","private":true,"homepage":"https://github.com/sonatype/actions/fetch-sbom","repository":{"type":"git","url":"git+https://github.com/sonatype/actions/fetch-sbom.git"},"bugs":{"url":"https://github.com/sonatype/actions/fetch-sbom/issues"},"keywords":["actions","node","setup"],"exports":{".":"./dist/index.js"},"engines":{"node":">=20"},"scripts":{"bundle":"npm run format:write && npm run package","ci-test":"npx jest","coverage":"npx make-coverage-badge --output-path ./badges/coverage.svg","format:write":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --write .","format:check":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --check .","lint":"npx eslint . -c ../.github/linters/.eslintrc.yml --ignore-path ../.eslintignore","package":"npx ncc build src/index.ts -o dist/main --license licenses.txt && npx ncc build src/cleanup.ts -o dist/cleanup --license licenses.txt","package:watch":"npm run package -- --watch","test":"npx jest","all":"npm run format:write && npm run lint && npm run test && npm run coverage && npm run package"},"license":"SEE LICENSE IN LICENSE","jest":{"preset":"ts-jest","verbose":true,"clearMocks":true,"testEnvironment":"node","moduleFileExtensions":["js","ts"],"testMatch":["**/*.test.ts"],"testPathIgnorePatterns":["/node_modules/","/dist/"],"transform":{"^.+\\\\.ts$":"ts-jest"},"coverageReporters":["json-summary","text","lcov"],"collectCoverage":true,"collectCoverageFrom":["./src/**"],"reporters":["default",["jest-junit",{"suiteName":"fetch-sbom unit tests","titleTemplate":"{title}","outputName":"fetch-sbom-test-results.xml","ancestorSeparator":" > "}]]},"dependencies":{"@actions/artifact":"^2.1.7","@actions/github":"^6.0.0","@actions/tool-cache":"^2.0.1","@github/dependency-submission-toolkit":"^2.0.4","axios":"^1.7.2"}}');
 
 /***/ }),
 

run-iq-cli/dist/main/index.js

@@ -141073,7 +141073,7 @@ module.exports = JSON.parse('[[[0,44],"disallowed_STD3_valid"],[[45,46],"valid"]
 /***/ ((module) => {
 
 "use strict";
-module.exports = JSON.parse('{"name":"run-iq-cli","description":"GitHub Action to run IQ cli","version":"1.4.3","author":"sonatype","private":true,"homepage":"https://github.com/sonatype/actions/run-iq-cli","repository":{"type":"git","url":"git+https://github.com/sonatype/actions/run-iq-cli.git"},"bugs":{"url":"https://github.com/sonatype/actions/run-iq-cli/issues"},"keywords":["actions","node","setup"],"exports":{".":"./dist/index.js"},"engines":{"node":">=20"},"scripts":{"bundle":"npm run format:write && npm run package","ci-test":"npx jest","coverage":"npx make-coverage-badge --output-path ./badges/coverage.svg","format:write":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --write .","format:check":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --check .","lint":"npx eslint . -c ../.github/linters/.eslintrc.yml --ignore-path ../.eslintignore","package":"npx ncc build src/index.ts -o dist/main --license licenses.txt && npx ncc build src/cleanup.ts -o dist/cleanup --license licenses.txt","package:watch":"npm run package -- --watch","test":"npx jest","all":"npm run format:write && npm run lint && npm run test && npm run coverage && npm run package"},"license":"SEE LICENSE IN LICENSE","jest":{"preset":"ts-jest","verbose":true,"clearMocks":true,"testEnvironment":"node","moduleFileExtensions":["js","ts"],"testMatch":["**/*.test.ts"],"testPathIgnorePatterns":["/node_modules/","/dist/"],"transform":{"^.+\\\\.ts$":"ts-jest"},"coverageReporters":["json-summary","text","lcov"],"collectCoverage":true,"collectCoverageFrom":["./src/**"],"reporters":["default",["jest-junit",{"suiteName":"run-iq-cli unit tests","titleTemplate":"{title}","outputName":"run-iq-cli-test-results.xml","ancestorSeparator":" > "}]]},"dependencies":{"@actions/artifact":"^2.1.7","@actions/exec":"^1.1.1","@actions/glob":"^0.4.0","@actions/tool-cache":"^2.0.1","axios":"^1.7.7","semver":"^7.6.3"}}');
+module.exports = JSON.parse('{"name":"run-iq-cli","description":"GitHub Action to run IQ cli","version":"1.5.0","author":"sonatype","private":true,"homepage":"https://github.com/sonatype/actions/run-iq-cli","repository":{"type":"git","url":"git+https://github.com/sonatype/actions/run-iq-cli.git"},"bugs":{"url":"https://github.com/sonatype/actions/run-iq-cli/issues"},"keywords":["actions","node","setup"],"exports":{".":"./dist/index.js"},"engines":{"node":">=20"},"scripts":{"bundle":"npm run format:write && npm run package","ci-test":"npx jest","coverage":"npx make-coverage-badge --output-path ./badges/coverage.svg","format:write":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --write .","format:check":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --check .","lint":"npx eslint . -c ../.github/linters/.eslintrc.yml --ignore-path ../.eslintignore","package":"npx ncc build src/index.ts -o dist/main --license licenses.txt && npx ncc build src/cleanup.ts -o dist/cleanup --license licenses.txt","package:watch":"npm run package -- --watch","test":"npx jest","all":"npm run format:write && npm run lint && npm run test && npm run coverage && npm run package"},"license":"SEE LICENSE IN LICENSE","jest":{"preset":"ts-jest","verbose":true,"clearMocks":true,"testEnvironment":"node","moduleFileExtensions":["js","ts"],"testMatch":["**/*.test.ts"],"testPathIgnorePatterns":["/node_modules/","/dist/"],"transform":{"^.+\\\\.ts$":"ts-jest"},"coverageReporters":["json-summary","text","lcov"],"collectCoverage":true,"collectCoverageFrom":["./src/**"],"reporters":["default",["jest-junit",{"suiteName":"run-iq-cli unit tests","titleTemplate":"{title}","outputName":"run-iq-cli-test-results.xml","ancestorSeparator":" > "}]]},"dependencies":{"@actions/artifact":"^2.1.7","@actions/exec":"^1.1.1","@actions/glob":"^0.4.0","@actions/tool-cache":"^2.0.1","axios":"^1.7.7","semver":"^7.6.3"}}');
 
 /***/ })
 

setup-iq-cli/dist/main/index.js

@@ -31343,11 +31343,34 @@ exports.IQ_CLI_JAR = 'sonatype-iq-cli.jar';
 exports.IQ_VERSION_TO_COMPLETE = '1.{iq-cli-version}.0-01';
 exports.DOWNLOAD_URL = 'https://download.sonatype.com/clm/scanner/nexus-iq-cli-{iq-cli-version}.jar';
 exports.MINIMUM_SUPPORTED_IQ_VERSION = 137;
-exports.LATEST_IQ_CLI_VERSION = '2.4.2-01'; // This should be updated to the latest IQ CLI version with each release
+exports.LATEST_IQ_CLI_VERSION = '2.4.3-01'; // This should be updated to the latest IQ CLI version with each release
 exports.IQ_CLI_VERSION = 'iq-cli-version';
 exports.IQ_CLI_DOWNLOAD_URL = 'iq-cli-download-url';
 
 
+/***/ }),
+
+/***/ 848:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+/*
+ *  Copyright (c) 2023-present Sonatype, Inc. All rights reserved.
+ *  Includes the third-party code listed at https://links.sonatype.com/products/clm/attributions.
+ *  "Sonatype" is a trademark of Sonatype, Inc.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.getNextDownloadUrl = getNextDownloadUrl;
+// Given a url like: download.sonatype.com/scanner/nexus-iq-cli-1.178.0-05.jar
+// returns download.sonatype.com/scanner/nexus-iq-cli-1.178.0-06.jar
+function getNextDownloadUrl(url) {
+    const currentBuildNumber = url.substring(url.length - 6, url.length - 4);
+    const nextBuildNumber = (parseInt(currentBuildNumber) + 1).toString().padStart(2, '0');
+    return url.replace(currentBuildNumber, nextBuildNumber);
+}
+
+
 /***/ }),
 
 /***/ 8917:
@@ -31439,13 +31462,37 @@ function getValidatedIQCLIVersion() {
     if (input === 'latest') {
         return constants_1.LATEST_IQ_CLI_VERSION;
     }
+    // Here only for backwards compatibility, see docs on function
     if (/^\d+$/.test(input)) {
-        if (parseInt(input) < constants_1.MINIMUM_SUPPORTED_IQ_VERSION) {
-            throw Error(`IQ minimum supported version is ${constants_1.MINIMUM_SUPPORTED_IQ_VERSION}`);
-        }
-        return constants_1.IQ_VERSION_TO_COMPLETE.replace('{iq-cli-version}', input);
+        return getIqFromMinorVersion(input);
+    }
+    // This is similar to 2.1.0-01, just return..
+    // Here the user provided a full version (major.minor.patch-build-number)
+    // This is what we are trying to build anyway so no need for any additional logic..
+    if (/^\d\.\d+\.\d+-\d+$/.test(input)) {
+        return input;
+    }
+    // If the provided value does not match 2.1.0 (or similar) - warn and return
+    // This can happen when user provides 2.10 or similar (which is insufficient)
+    if (!/^\d+\.\d+\.\d+$/.test(input)) {
+        throw Error(`Provided IQ CLI version must be in the form of major.minor.patch`);
+    }
+    // At this point we are handling a provided input that is major.minor.patch
+    // Concat the build number -01 and return
+    // We will handle other possibilities later (-02, -03) if needed
+    return input.concat('-01');
+}
+// The logic within this function is *deprecated* and *not* documented.
+// If the provided input is a single decimal (like 180, 185 and so on..),
+// this returns 1.{provided-version}.0-01
+// This works if all IQ CLI versions were 1.x but we also have 2.x so the provided value is ambiguous.
+function getIqFromMinorVersion(input) {
+    core.warning('Providing a minor version only is deprecated and only works for IQ CLI 1.x');
+    core.warning('Input the desired CLI version in the major.minor.patch form.');
+    if (parseInt(input) < constants_1.MINIMUM_SUPPORTED_IQ_VERSION) {
+        throw Error(`IQ minimum supported version is ${constants_1.MINIMUM_SUPPORTED_IQ_VERSION}`);
     }
-    return input;
+    return constants_1.IQ_VERSION_TO_COMPLETE.replace('{iq-cli-version}', input);
 }
 
 
@@ -31495,6 +31542,7 @@ const path_1 = __importDefault(__nccwpck_require__(1017));
 const fs_1 = __nccwpck_require__(7147);
 const constants_1 = __nccwpck_require__(9733);
 const get_validated_iq_cli_version_1 = __nccwpck_require__(3391);
+const get_next_download_url_1 = __nccwpck_require__(848);
 const get_semver_version_1 = __nccwpck_require__(8917);
 /**
  * The main function for the action.
@@ -31543,7 +31591,23 @@ async function run() {
             else {
                 core.debug(`Downloading IQ CLI version ${iqCliVersion}`);
             }
-            const iqCliPath = await tc.downloadTool(validatedDownloadUrl, constants_1.IQ_CLI_JAR);
+            let iqCliPath;
+            for (let i = 1; i < 10; i++) {
+                try {
+                    core.debug(`Attempting to download IQ CLI from: ${validatedDownloadUrl}`);
+                    iqCliPath = await tc.downloadTool(validatedDownloadUrl, constants_1.IQ_CLI_JAR);
+                    core.info(`IQ CLI downloaded from: ${validatedDownloadUrl}`);
+                    break;
+                }
+                catch (error) {
+                    core.debug(`Failed to download from: ${validatedDownloadUrl}`);
+                    validatedDownloadUrl = (0, get_next_download_url_1.getNextDownloadUrl)(validatedDownloadUrl);
+                }
+            }
+            if (!iqCliPath) {
+                core.warning(`Failed to download the custom IQ version: ${iqCliVersion}`);
+                throw Error(`Failed to download the custom IQ version: ${iqCliVersion}`);
+            }
             core.debug(`Download path is: ${iqCliPath}`);
             cachedPath = await tc.cacheFile(iqCliPath, constants_1.IQ_CLI_JAR, 'iq-cli', semverVersion);
             // Delete the downloaded file after caching