feat: implement CMake dependency scanning

.devcontainer/devcontainer.json

@@ -0,0 +1,11 @@
+{
+  "image": "mcr.microsoft.com/devcontainers/typescript-node:1-20-bullseye",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "Orta.vscode-jest"
+      ]
+    }
+  },
+  "postCreateCommand": "npm install && npm i -g @vercel/ncc"
+}

.github/dependabot.yml

@@ -0,0 +1,12 @@
+---
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/dependency-submission.yml

@@ -0,0 +1,36 @@
+name: Dependency Submission
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  dependency-submission-glob:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: philips-forks/cmake-dependency-submission@main
+      - env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh ext install advanced-security/gh-sbom
+          gh sbom | jq
+  dependency-submission-configure:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - run: cmake -S example -B build
+      - uses: philips-forks/cmake-dependency-submission@main
+        with:
+          scanMode: 'configure'
+          buildPath: 'build'
+      - env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh ext install advanced-security/gh-sbom
+          gh sbom | jq

.github/workflows/test.yml

@@ -1,7 +1,8 @@
-name: Build & test
+name: Build & Test
+
 on:
   pull_request:
-   branches:
+    branches:
       - main
   push:
     branches:
@@ -11,20 +12,11 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - name: Install Node
-        uses: actions/setup-node@v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-node@v4
         with:
           node-version: 16
-
       - name: Install npm dependencies
         run: npm ci --ignore-scripts
-
-      - name: Build and run tests 
+      - name: Build and run tests
         run: npm rebuild && npm run all
-
-      - name: Verify no uncommitted files
-        run: '[ -z "$(git status --porcelain=v1 2>/dev/null)" ]'
-        shell: bash

LICENSE

@@ -1,5 +1,6 @@
 MIT License
 
+Copyright (c) 2023 Ron Jaegers
 Copyright (c) 2022 Breno Cunha Queiroz
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

README.md

@@ -6,36 +6,76 @@
 CMake Dependency Submission
 </h1>
 
-Calculates dependencies for a cmake project and submits the list to the Dependency Submission API
+This GitHub Action identifies dependencies for a CMake project that uses [FetchContent](https://cmake.org/cmake/help/latest/module/FetchContent.html), and submits the results to the [Dependency Submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's [dependency graph](https://github.com/philips-forks/cmake-dependency-submission/network/dependencies) and can, for example, be exported to an SBOM file.
 
-## Github dependency graph
-![2022-12-01_09-57](https://user-images.githubusercontent.com/17342434/204997995-1955d053-87f4-464f-8e02-e36fa807d0b1.png)
+## Usage
 
+This Action can be used in two different modes, depending on how the list of CMake files to scan should be determined:
 
-## Setup
+- [Glob mode](#glob-mode) (*default*); CMakeLists.txt and *.cmake files will be found by recursively globbing from the optionally provided sourcePath.
+- [Configure mode](#configure-mode); CMake files will be found by querying the [CMake File API](https://cmake.org/cmake/help/latest/manual/cmake-file-api.7.html#manual:cmake-file-api(7)). In configure mode it is mandatory to run the CMake configure step before this action is ran.
+
+Glob mode is faster, but configure mode is more accurate. Configure mode will recursively detect FetchContent dependencies. Configure mode will not include CMake files that are part of the source tree, but not included in the configured build.
+
+See [action.yml](action.yml) for all valid inputs.
+See [dependency-submission.yml](.github/workflows/dependency-submission.yml) for an example scan on this repository.
+
+> **&#9432;** please note that the Dependency Submission API requires `contents: write` persmissions.
+
+### Glob mode
 
 ```yml
 name: CMake Dependency Submission
-on:                        
+
+on:
   push:
     branches:
-      - main               
+      - main
 
 jobs:
   dependency-submission:
-    runs-on: ubuntu-latest 
-    permissions: # The Dependency Submission API requires write permission
-      contents: write      
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - name: Checkout Repository     
-        uses: actions/checkout@v3       
+      - uses: actions/checkout@v3
+      - uses: philips-forks/cmake-dependency-submission@main
+```
 
-      - name: Dependency Submission
-        uses: brenocq/cmake-dependency-submission@main
+### Configure mode
+
+```yml
+name: CMake Dependency Submission
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  dependency-submission:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v3
+      - run: cmake -S example -B build
+      - uses: philips-forks/cmake-dependency-submission@main
         with:
-          testing-action: "Hello world!"  
+          scanMode: 'configure'
+          buildPath: 'build'
 ```
 
+## Non-FetchContent dependencies
+
+When an external dependency is not FetchContent-compatible, or there is another reason to consume a dependency without using FetchContent, the dependency can still be detected by this Action using an annotation in a CMake file.
+
+The annotation should be in the following format:
+
+`# cmake-dependency-scan [package-url]`
+
+Where `[package-url]` should be a valid [Package URL](https://github.com/package-url/purl-spec) like `pkg:github/google/[email protected]`
 
 ## License
-This project is licensed under the MIT License - check [LICENSE](LICENSE) for details.
+
+This project is licensed under the [MIT](https://choosealicense.com/licenses/mit/) license. See [LICENSE](LICENSE) for details.

action.yml

@@ -1,18 +1,25 @@
-name: 'Cmake Dependency Submission'
-description: 'Calculates dependencies for a cmake project and submits the list to the Dependency Submission API'
+name: 'CMake Dependency Submission'
+description: 'Calculates dependencies for a CMake project and submits the list to the GitHub Dependency Submission API'
 author: 'Breno Cunha Queiroz'
 branding:
-  icon: 'check-circle'  
+  icon: 'check-circle'
   color: 'blue'
 inputs:
   token:
     description: "GitHub Personal Access Token (PAT). Defaults to PAT provided by Action runner"
-    required: false
     default: ${{ github.token }}
-  path:
     required: false
-    description: 'Path to cmake project folder'
-    default: ''
+  sourcePath:
+    description: "Path to source tree containing CMakeLists.txt and *.cmake files"
+    default: "${{ github.workspace }}"
+    required: false
+  scanMode:
+    description: "How to find CMake files; supported values are 'glob' or 'configure'. See README.md for more information"
+    default: 'glob'
+    required: false
+  buildPath:
+    description: "Path to the pre-configured build tree; only used in 'configure' mode"
+    required: false
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'dist/index.js'