Merge branch '212923-bower-small' into 'master'v3.9.2

Provide Bower with a `bower_ca` variable when a custom CA is specified.

See merge request gitlab-org/security-products/license-management!151

12 files changed, 81 insertions, 13 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a6aa573..63c89d8 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -39,6 +39,13 @@ build commit:
     - docker image inspect $TMP_IMAGE --format='{{.Size}}'
     - docker push $TMP_IMAGE
 
+build mvn:
+  image: maven:3.3.9-jdk-8
+  stage: build
+  script:
+    - cd spec/fixtures/java/example/ && mvn deploy -s settings.xml
+  allow_failure: true
+
 container_scanning:
   variables:
     CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/tmp # only predefined variables are parameter-expanded (no $TMP_IMAGE)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a973158..30f15ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # GitLab License management changelog
 
+## v3.9.2
+
+- Pass `bower_ca` to bower install step. (!151)
+
 ## v3.9.1
 
 - Add `--allow-root` option when install bower packages. (!150)
diff --git a/Gemfile.lock b/Gemfile.lock
index 4ba5c69..548dd1b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    license-management (3.9.1)
+    license-management (3.9.2)
       license_finder (~> 6.0.0)
 
 GEM
diff --git a/config/install.sh b/config/install.sh
index e303910..ff8f0b7 100644
--- a/config/install.sh
+++ b/config/install.sh
@@ -159,7 +159,7 @@ rm -fr "$ASDF_DATA_DIR/docs" \
   /var/lib/systemd/* \
   /var/log/*
 
-zstd_command="/usr/bin/zstd -19"
+zstd_command="/usr/bin/zstd -19 -T0"
 cd /opt
 tar --use-compress-program "$zstd_command" -cf /opt/asdf.tar.zst asdf &
 
diff --git a/lib/license/finder/ext/bower.rb b/lib/license/finder/ext/bower.rb
index ccfa7ee..d288b05 100644
--- a/lib/license/finder/ext/bower.rb
+++ b/lib/license/finder/ext/bower.rb
@@ -48,7 +48,10 @@ module LicenseFinder
     def default_env
       return {} unless shell.custom_certificate_installed?
 
-      { 'NPM_CONFIG_CAFILE' => ENV.fetch('NPM_CONFIG_CAFILE', shell.custom_certificate_path.to_s) }
+      {
+        'NPM_CONFIG_CAFILE' => ENV.fetch('NPM_CONFIG_CAFILE', shell.custom_certificate_path.to_s),
+        'bower_ca' => ENV.fetch('bower_ca', shell.custom_certificate_path.to_s)
+      }
     end
   end
 end
diff --git a/lib/license/management/version.rb b/lib/license/management/version.rb
index 0fe76f1..f3e2116 100644
--- a/lib/license/management/version.rb
+++ b/lib/license/management/version.rb
@@ -2,6 +2,6 @@
 
 module License
   module Management
-    VERSION = '3.9.1'
+    VERSION = '3.9.2'
   end
 end
diff --git a/spec/fixtures/java/custom-maven-settings.xml b/spec/fixtures/java/custom-maven-settings.xml
index 4fa5d16..b7dbb1c 100644
--- a/spec/fixtures/java/custom-maven-settings.xml
+++ b/spec/fixtures/java/custom-maven-settings.xml
@@ -8,7 +8,7 @@
       <repositories>
         <repository>
           <id>gitlab-maven</id>
-          <url>https://gitlab.com/api/v4/projects/17523603/packages/maven</url>
+          <url>https://gitlab.com/api/v4/projects/6130122/packages/maven</url>
         </repository>
       </repositories>
     </profile>
diff --git a/spec/fixtures/java/example/pom.xml b/spec/fixtures/java/example/pom.xml
new file mode 100644
index 0000000..b59f809
--- /dev/null
+++ b/spec/fixtures/java/example/pom.xml
@@ -0,0 +1,39 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.gitlab.secure</groupId>
+  <artifactId>example</artifactId>
+  <packaging>jar</packaging>
+  <version>1.0</version>
+  <name>example</name>
+  <url>http://maven.apache.org</url>
+  <licenses>
+    <license>
+      <name>MIT</name>
+      <url>https://opensource.org/licenses/MIT</url>
+    </license>
+  </licenses>
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>3.8.1</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+  <repositories>
+    <repository>
+      <id>gitlab-maven</id>
+      <url>https://gitlab.com/api/v4/projects/6130122/packages/maven</url>
+    </repository>
+  </repositories>
+  <distributionManagement>
+    <repository>
+      <id>gitlab-maven</id>
+      <url>https://gitlab.com/api/v4/projects/6130122/packages/maven</url>
+    </repository>
+    <snapshotRepository>
+      <id>gitlab-maven</id>
+      <url>https://gitlab.com/api/v4/projects/6130122/packages/maven</url>
+    </snapshotRepository>
+  </distributionManagement>
+</project>
diff --git a/spec/fixtures/java/example/settings.xml b/spec/fixtures/java/example/settings.xml
new file mode 100644
index 0000000..e84b931
--- /dev/null
+++ b/spec/fixtures/java/example/settings.xml
@@ -0,0 +1,15 @@
+<settings>
+  <servers>
+    <server>
+      <id>gitlab-maven</id>
+      <configuration>
+        <httpHeaders>
+          <property>
+            <name>Job-Token</name>
+            <value>${env.CI_JOB_TOKEN}</value>
+          </property>
+        </httpHeaders>
+      </configuration>
+    </server>
+  </servers>
+</settings>
diff --git a/spec/fixtures/java/pom-public-gitlab-repository.xml b/spec/fixtures/java/pom-public-gitlab-repository.xml
index 4e57c79..c39e703 100644
--- a/spec/fixtures/java/pom-public-gitlab-repository.xml
+++ b/spec/fixtures/java/pom-public-gitlab-repository.xml
@@ -8,9 +8,9 @@
   <url>http://maven.apache.org</url>
   <dependencies>
     <dependency>
-      <groupId>com.gitlab.xlgmokha</groupId>
-      <artifactId>mvn-spike</artifactId>
-      <version>1.2-SNAPSHOT</version>
+      <groupId>com.gitlab.secure</groupId>
+      <artifactId>example</artifactId>
+      <version>1.0</version>
     </dependency>
   </dependencies>
 </project>
diff --git a/spec/integration/java/maven_spec.rb b/spec/integration/java/maven_spec.rb
index f14e566..d45c99d 100644
--- a/spec/integration/java/maven_spec.rb
+++ b/spec/integration/java/maven_spec.rb
@@ -9,12 +9,12 @@ RSpec.describe "maven" do
       runner.add_file('pom.xml', fixture_file_content('java/pom-public-gitlab-repository.xml'))
 
       report = runner.scan(env: {
-        'CI_PROJECT_ID' => '17523603'
+        'CI_PROJECT_ID' => '6130122'
       })
 
       expect(report).to match_schema(version: '2.0')
-      expect(report.dependency_names).to match_array(['mvn-spike'])
-      expect(report.licenses_for('mvn-spike')).to match_array(['MIT'])
+      expect(report.dependency_names).to match_array(['example'])
+      expect(report.licenses_for('example')).to match_array(['MIT'])
     end
 
     it 'downloads packages from by using a custom `settings.xml`' do
@@ -27,7 +27,7 @@ RSpec.describe "maven" do
       })
 
       expect(report).to match_schema(version: '2.0')
-      expect(report[:dependencies]).to match_array([{ name: 'mvn-spike', url: '', description: '', paths: ['.'], licenses: ['MIT'] }])
+      expect(report[:dependencies]).to match_array([{ name: 'example', url: '', description: '', paths: ['.'], licenses: ['MIT'] }])
     end
   end
 
diff --git a/spec/integration/js/bower_spec.rb b/spec/integration/js/bower_spec.rb
index 2127c2e..2fe2883 100644
--- a/spec/integration/js/bower_spec.rb
+++ b/spec/integration/js/bower_spec.rb
@@ -22,7 +22,7 @@ RSpec.describe "bower" do
     specify { expect(subject.licenses_for('stimulus.umd')).to match_array(['unknown']) }
   end
 
-  context "when scanning a bower project with a dependency from a custom registry" do
+  context "when scanning a bower project with a dependency from a custom npm registry" do
     subject { runner.scan(env: { 'ADDITIONAL_CA_CERT_BUNDLE' => fixture_file_content('js/custom-npm.crt') }) }
 
     before do