feat: add rhda 0.3

[ruromero]

Changes

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Follows the authoring recommendations
• Includes docs (if user facing)
• Includes tests (for new tasks or changed functionality)
  • See the end-to-end testing documentation for guidance and CI details.
• Meets the Tekton contributor standards (including functionality, content, code)
• Commit messages follow commit message best practices
• Has a kind label. You can add one by adding a comment on this PR that
  contains /kind <type>. Valid types are bug, cleanup, design, documentation,
  feature, flake, misc, question, tep
• Complies with Catalog Organization TEP, see example. Note An issue has been filed to automate this validation

  • File path follows <kind>/<name>/<version>/name.yaml

  • Has README.md at <kind>/<name>/<version>/README.md

  • Has mandatory metadata.labels - app.kubernetes.io/version the same as the <version> of the resource

  • Has mandatory metadata.annotations tekton.dev/pipelines.minVersion

  • mandatory spec.description follows the convention

      ```
    
      spec:
        description: >-
          one line summary of the resource
    
          Paragraph(s) to describe the resource.
      ```
    

See the contribution guide for more details.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: ruromero / name: Ruben Romero Montes (43e73c2, be93aa5)

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign vdemeester after the PR has been reviewed.
You can assign the PR to them by writing /assign @vdemeester in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ruromero]

/kind feature

[ruromero]

hi @vinamra28 @vdemeester can someone give some feedback on this PR? Thank you

[tekton-robot]

Catlin Output

FILE: task/redhat-dependency-analytics/0.3/redhat-dependency-analytics.yaml
WARN : Step "redhat-dependency-analytics" uses image "$(params.trustify-cli-image)" that contains variables; skipping validation

[tekton-robot]

Diff between version 0.2 and 0.3

diff --git a/task/redhat-dependency-analytics/0.2/README.md b/task/redhat-dependency-analytics/0.3/README.md
index dd2233a..6801d46 100644
--- a/task/redhat-dependency-analytics/0.2/README.md
+++ b/task/redhat-dependency-analytics/0.3/README.md
@@ -6,9 +6,19 @@
 The redhat-dependency-analytics task is an interface between Tekton and Red Hat Dependency Analytics (RHDA) platform. 
 It provides vulnerability and compliance analysis for your applications dependencies in your software supply chain.
 
-The redhat-dependency-analytics task for Tekton Pipelines utilizes the [Exhort JavaScript API](https://github.com/RHEcosystemAppEng/exhort-javascript-api), mirroring the functionality of the [VSCode Red Hat Dependency Analytics plugin](https://marketplace.visualstudio.com/items?itemName=redhat.fabric8-analytics).
+The redhat-dependency-analytics task for Tekton Pipelines utilizes the [Guacsec Trustify Dependency Analytics JavaScript Client](https://github.com/guacsec/trustify-da-javascript-client), mirroring the functionality of the [VSCode Red Hat Dependency Analytics plugin](https://marketplace.visualstudio.com/items?itemName=redhat.fabric8-analytics).
 
-**Note: Currently this Task only supports Maven (`mvn`), Node (`npm`), Golang (`go mod`) and Python (`pip`) ecosystems, support for other ecosystems will be provided very soon.**
+Dependency Analytics supports the following project ecosystems:
+
+- Maven
+- NPM
+- PNPM
+- Yarn (Classic / Berry)
+- Golang
+- Python
+- Gradle (Kotlin / Groovy DSL)
+
+**NOTE:** The Red Hat Dependency Analytics extension is an online service hosted and maintained by Red Hat. Red Hat Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the vulnerability report.
 
 ## Prerequisites
 
@@ -28,11 +38,12 @@ kubectl apply -f samples/workspace.yaml -n <NAMESPACE>
 ## Parameters
 - **manifest-file-path**: Path to target manifest file (ex. pom.xml, package.json, go.mod, requirements.txt) within workspace to perform analysis upon.
 - **output-file-path**: Path to file within workspace where the Red Hat Dependency Analytics report will be saved. `(default: redhat-dependency-analytics-report.json)`
-- **rhda-image**: Image where Exhort Javascript API and required dependencies are installed. `(default: quay.io/ecosystem-appeng/exhort-javascript-api:0.1.1-ea.26)`. 
+- **trustify-cli-image**: Image where Trustify Dependency Analytics Javascript Client and required dependencies are installed. `(default: ghcr.io/guacsec/trustify-da-javascript-client:0.2.4)`.
 - **python-image**: Image with installed Python interpreter and associated tools (such as pip, pip3, etc.). `(default: python:3.11)`. 
-- **use-go-mvs-logic**:  indicate whether to use the Minimal version selection (MVS) algorithm to select a set of module versions to use when building Go packages. Relevant for Go ecosystem only. `(default: false)`. 
+- **use-go-mvs-logic**:  indicate whether to use the Minimal version selection (MVS) algorithm to select a set of module versions to use when building Go packages. Relevant for Go ecosystem only. `(default: true)`. 
+- **trustify-da-endpoint**: RHDA (Trustify Dependency Analytics) endpoint that will perform the analysis and look for vulnerabilities. It defaults to `https://rhda.rhcloud.com`
 
-List of images for different ecosystem versions can be found [here](https://github.com/RHEcosystemAppEng/exhort-javascript-api/tree/main/docker-image)
+More information about the Container images can be found [here](https://github.com/guacsec/trustify-da-javascript-client/tree/main/docker-image)
 
 ## Output
 The complete response of Red Hat Dependency Analytics is saved in JSON format within the workspace directory under file name defined by parameter `output-file-name`. 
@@ -48,9 +59,9 @@ Dependencies
   Total Direct       :  7 
   Total Transitive   :  1 
 
-Provider: Osv-nvd
+Provider: rhtpa
   Provider Status    : OK 
-  Source: Osv-nvd
+  Source: osv
     Vulnerabilities
       Total          :  8 
       Direct         :  8 
@@ -70,7 +81,7 @@ In case of failure, please refer to the `error.log` file within workspace for mo
 
 ### Install task on environment using kubectl
 ```
-kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/redhat-dependency-analytics/0.2/redhat-dependency-analytics.yaml -n <NAMESPACE>
+kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/redhat-dependency-analytics/0.3/redhat-dependency-analytics.yaml -n <NAMESPACE>
 ```
 
 ### Install task on environment using tkn
@@ -100,12 +111,14 @@ You can apply the specified task to resources such as TaskRun, Pipeline, and Pip
       value: /path/to/manifest/file/in/workspace
     - name: output-file-path
       value: /path/to/output/file/in/workspace
-    - name: rhda-image
+    - name: trustify-cli-image
       value: your-image-name:tag
     - name: python-image
       value: your-image-name:tag
     - name: use-go-mvs-logic
       value: false
+    - name: trustify-da-endpoint
+      value: https://trustify.example.com
 ...
 ...
 ```
@@ -138,7 +151,7 @@ An example PipelineRun and TaskRun are provided in the `samples` directory in or
     kubectl apply -f samples/pipeline.yaml -n <NAMESPACE>
     ```
 
-1. In [pipeline-run.yaml](samples/pipeline-run.yaml), first replace `{{ GITHUB_URL }}` with the Github URL to the project repository where the target manifest file resides, next replace `{{ MANIFEST_FILE_PATH }}` with the path to the target manifest file within workspace (e.g., "pom.xml" or "path/to/my/project/pom.xml"). 
+1. In [pipeline-run.yaml](samples/pipeline-run.yaml), first replace `{{ GITHUB_URL }}` with the Github URL to the project repository where the target manifest file resides, next replace `{{ MANIFEST_FILE_PATH }}` with the path to the target manifest file within workspace (e.g., "pom.xml" or "path/to/my/project/pom.xml"). Optionally, replace `{{ TRUSTIFY_DA_ENDPOINT }}` with the RHDA Backend endpoint (defaults to `https://rhda.rhcloud.com` if not specified).
 Additionally, if you are operating within a Python environment, you have the flexibility to substitute the default value of the `python-image` parameter with a base image that incorporates the specific Python version you prefer. If you are operating within a Go environment, you might prefer to use the Minimal version selection (MVS) algorithm to select a set of module versions to use when building Go packages, in that case, set `use-go-mvs-logic` parameter to true.
 Finally create the pipelinerun, run:
     ```
@@ -149,7 +162,7 @@ Finally create the pipelinerun, run:
 
 1. Store the target manifest file into a desired location inside workspace.
 
-1. In [task-run.yaml](samples/task-run.yaml), replace `{{ MANIFEST_FILE_PATH }}` with the path to the target manifest file within workspace (e.g., "pom.xml" or "path/to/my/project/pom.xml"). Additionally, if you are operating within a Python environment, you have the flexibility to substitute the default value of the `python-image` parameter with a base image that incorporates the specific Python version you prefer. If you are operating within a Go environment, you might prefer to use the Minimal version selection (MVS) algorithm to select a set of module versions to use when building Go packages, in that case, set `use-go-mvs-logic` parameter to true.
+1. In [task-run.yaml](samples/task-run.yaml), replace `{{ MANIFEST_FILE_PATH }}` with the path to the target manifest file within workspace (e.g., "pom.xml" or "path/to/my/project/pom.xml"). Optionally, replace `{{ TRUSTIFY_DA_ENDPOINT }}` with the RHDA Backend endpoint (defaults to `https://rhda.rhcloud.com` if not specified). Additionally, if you are operating within a Python environment, you have the flexibility to substitute the default value of the `python-image` parameter with a base image that incorporates the specific Python version you prefer. If you are operating within a Go environment, you might prefer to use the Minimal version selection (MVS) algorithm to select a set of module versions to use when building Go packages, in that case, set `use-go-mvs-logic` parameter to true.
 Then create the taskrun, run:
     ```
     kubectl apply -f samples/task-run.yaml -n <NAMESPACE>
diff --git a/task/redhat-dependency-analytics/0.2/redhat-dependency-analytics.yaml b/task/redhat-dependency-analytics/0.3/redhat-dependency-analytics.yaml
index 1dff721..98d28db 100644
--- a/task/redhat-dependency-analytics/0.2/redhat-dependency-analytics.yaml
+++ b/task/redhat-dependency-analytics/0.3/redhat-dependency-analytics.yaml
@@ -3,7 +3,7 @@ kind: Task
 metadata:
   name: redhat-dependency-analytics
   labels:
-    app.kubernetes.io/version: "0.2"
+    app.kubernetes.io/version: "0.3"
   annotations:
     tekton.dev/categories: Security
     tekton.dev/pipelines.minVersion: "0.37.5"
@@ -24,15 +24,18 @@ spec:
     - name: output-file-path
       description: Path to file within workspace, where the analysis report is saved.
       default: redhat-dependency-analytics-report.json
-    - name: rhda-image
-      description: Image where Exhort Javascript API and required dependencies are installed.
-      default: quay.io/ecosystem-appeng/exhort-javascript-api:0.1.1-ea.26
+    - name: trustify-cli-image
+      description: Image where Trustify Dependency Analytics Javascript Client and required dependencies are installed.
+      default: ghcr.io/guacsec/trustify-da-javascript-client:0.3.0@sha256:e5bee1acb7289a8c7ea0bdf3c3089b7000f443adb004675c8473b51eaa445268
     - name: python-image
       description: Image with installed Python interpreter and associated tools (such as pip, pip3, etc.).
       default: python:3.11
     - name: use-go-mvs-logic
       description: Uses the Minimal version selection (MVS) algorithm to select a set of module versions to use when building Go packages.
-      default: false
+      default: true
+    - name: trustify-da-endpoint
+      description: RHDA (Trustify Dependency Analytics) endpoint that will perform the analysis and look for vulnerabilities.
+      default: https://rhda.rhcloud.com
   sidecars:
     - name: python
       image: $(params.python-image)
@@ -68,7 +71,7 @@ spec:
         touch /shared/pythonComplete
   steps:
     - name: redhat-dependency-analytics
-      image: $(params.rhda-image)
+      image: $(params.trustify-cli-image)
       workingDir: $(workspaces.output.path)
       env:
         - name: RHDA_SOURCE
@@ -98,6 +101,7 @@ spec:
         # get task parameter values
         MANIFEST_FILE_PATH="$(params.manifest-file-path)"
         OUTPUT_FILE_PATH="$(params.output-file-path)"
+        TRUSTIFY_DA_ENDPOINT="$(params.trustify-da-endpoint)"
 
         # install dependencies for requirements.txt file
         MANIFEST_FILE_BASENAME=$(basename "$MANIFEST_FILE_PATH")
@@ -123,16 +127,17 @@ spec:
             ((elapsed_time++))
           done
 
-          export EXHORT_PIP_FREEZE=$(cat /shared/pip_freeze.txt | base64 -w 0)
-          export EXHORT_PIP_SHOW=$(cat /shared/pip_show.txt | base64 -w 0)
+          export TRUSTIFY_DA_PIP_FREEZE=$(cat /shared/pip_freeze.txt | base64 -w 0)
+          export TRUSTIFY_DA_PIP_SHOW=$(cat /shared/pip_show.txt | base64 -w 0)
         else
           touch /shared/notPython
         fi
 
-        export EXHORT_GO_MVS_LOGIC_ENABLED=$(echo "$(params.use-go-mvs-logic)")
+        export TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED=$(echo "$(params.use-go-mvs-logic)")
+        export TRUSTIFY_DA_BACKEND_URL=$(echo "$(params.trustify-da-endpoint)")
 
-        # execute RHDA
-        sh /rhda.sh "$MANIFEST_FILE_PATH" "$OUTPUT_FILE_PATH"
+        # execute Trustify Dependency Analytics
+        sh /trustify-da.sh "$MANIFEST_FILE_PATH" "$OUTPUT_FILE_PATH"
   volumes:
     - name: shared-data
-      emptyDir: {}
\ No newline at end of file
+      emptyDir: {}
diff --git a/task/redhat-dependency-analytics/0.2/samples/pipeline-run.yaml b/task/redhat-dependency-analytics/0.3/samples/pipeline-run.yaml
index ef846e4..a483ec4 100644
--- a/task/redhat-dependency-analytics/0.2/samples/pipeline-run.yaml
+++ b/task/redhat-dependency-analytics/0.3/samples/pipeline-run.yaml
@@ -23,12 +23,14 @@ spec:
       value: {{MANIFEST_FILE_PATH}}
     - name: output-file-path
       value: redhat-dependency-analytics-report.json
-    # Replace with base image where Exhort Javascript API and required dependencies are installed.
-    - name: rhda-image
-      value: quay.io/ecosystem-appeng/exhort-javascript-api:0.1.1-ea.26
+    # Replace with base image where Trustify JavaScript CLI and required dependencies are installed.
+    - name: trustify-cli-image
+      value: ghcr.io/guacsec/trustify-da-javascript-client:0.3.0@sha256:e5bee1acb7289a8c7ea0bdf3c3089b7000f443adb004675c8473b51eaa445268
     # Replace with base image including the desired Python version.
     - name: python-image
       value: python:3.11
     # Set to true if using Minimal version selection (MVS) algorithm for building Go packages is preferred.
     - name: use-go-mvs-logic
-      value: false
\ No newline at end of file
+      value: true
+    - name: trustify-da-endpoint
+      value: {{TRUSTIFY_DA_ENDPOINT}}
diff --git a/task/redhat-dependency-analytics/0.2/samples/pipeline.yaml b/task/redhat-dependency-analytics/0.3/samples/pipeline.yaml
index 146ee44..346c0ff 100644
--- a/task/redhat-dependency-analytics/0.2/samples/pipeline.yaml
+++ b/task/redhat-dependency-analytics/0.3/samples/pipeline.yaml
@@ -13,9 +13,10 @@ spec:
   - name: github-url
   - name: manifest-file-path
   - name: output-file-path
-  - name: rhda-image
+  - name: trustify-cli-image
   - name: python-image
   - name: use-go-mvs-logic
+  - name: trustify-da-endpoint
   tasks:
     # git-clone-project task
     - name: git-clone-project
@@ -41,9 +42,11 @@ spec:
           value: $(params.manifest-file-path)
         - name: output-file-path
           value: $(params.output-file-path)
-        - name: rhda-image
-          value: $(params.rhda-image)
+        - name: trustify-cli-image
+          value: $(params.trustify-cli-image)
         - name: python-image
           value: $(params.python-image)
         - name: use-go-mvs-logic
           value: $(params.use-go-mvs-logic)
+        - name: trustify-da-endpoint
+          value: $(params.trustify-da-endpoint)
diff --git a/task/redhat-dependency-analytics/0.2/samples/task-run.yaml b/task/redhat-dependency-analytics/0.3/samples/task-run.yaml
index 433c534..85c5238 100644
--- a/task/redhat-dependency-analytics/0.2/samples/task-run.yaml
+++ b/task/redhat-dependency-analytics/0.3/samples/task-run.yaml
@@ -19,12 +19,14 @@ spec:
       value: {{MANIFEST_FILE_PATH}}
     - name: output-file-path
       value: redhat-dependency-analytics-report.json
-    # Replace with base image where Exhort Javascript API and required dependencies are installed.
-    - name: rhda-image
-      value: quay.io/ecosystem-appeng/exhort-javascript-api:0.1.1-ea.26
+    # Replace with base image where Trustify JavaScript CLI and required dependencies are installed.
+    - name: trustify-cli-image
+      value: ghcr.io/guacsec/trustify-da-javascript-client:0.3.0@sha256:e5bee1acb7289a8c7ea0bdf3c3089b7000f443adb004675c8473b51eaa445268
     # Replace with base image including the desired Python version.
     - name: python-image
       value: python:3.11
     # Set to true if using Minimal version selection (MVS) algorithm for building Go packages is preferred.
     - name: use-go-mvs-logic
-      value: false
+      value: true
+    - name: trustify-da-endpoint
+      value: {{TRUSTIFY_DA_ENDPOINT}}
diff --git a/task/redhat-dependency-analytics/0.2/tests/run.yaml b/task/redhat-dependency-analytics/0.3/tests/run.yaml
index 125fb59..6e83797 100644
--- a/task/redhat-dependency-analytics/0.2/tests/run.yaml
+++ b/task/redhat-dependency-analytics/0.3/tests/run.yaml
@@ -10,9 +10,10 @@ spec:
   - name: github-url
   - name: manifest-file-path
   - name: output-file-path
-  - name: rhda-image
+  - name: trustify-cli-image
   - name: python-image
   - name: use-go-mvs-logic
+  - name: trustify-da-endpoint
   tasks:
     - name: git-clone-project
       taskRef:
@@ -36,12 +37,14 @@ spec:
           value: $(params.manifest-file-path)
         - name: output-file-path
           value: $(params.output-file-path)
-        - name: rhda-image
-          value: $(params.rhda-image)
+        - name: trustify-cli-image
+          value: $(params.trustify-cli-image)
         - name: python-image
           value: $(params.python-image)
         - name: use-go-mvs-logic
           value: $(params.use-go-mvs-logic)
+        - name: trustify-da-endpoint
+          value: $(params.trustify-da-endpoint)
 ---
 apiVersion: tekton.dev/v1beta1
 kind: PipelineRun
@@ -61,9 +64,11 @@ spec:
       value: pom.xml
     - name: output-file-path
       value: redhat-dependency-analytics-report.json
-    - name: rhda-image
-      value: quay.io/ecosystem-appeng/exhort-javascript-api:0.1.1-ea.26
+    - name: trustify-cli-image
+      value: ghcr.io/guacsec/trustify-da-javascript-client:0.3.0@sha256:e5bee1acb7289a8c7ea0bdf3c3089b7000f443adb004675c8473b51eaa445268
     - name: python-image
       value: docker.io/library/python@sha256:61d662f6d52206ab2290af4258257b5369573b6a4bbd904896699cc909221334
     - name: use-go-mvs-logic
       value: false
+    - name: trustify-da-endpoint
+      value: https://rhda.rhcloud.com

[ruromero]

/assign @vdemeester
kind reminder if you can take a look, thank you