CM-50594 Updated SCA Scan Option in README

README.md

@@ -548,7 +548,8 @@ The Cycode CLI application offers several types of scans so that you can choose
 | `--monitor`                                                | When specified, the scan results will be recorded in Cycode.                                                           |
 | `--cycode-report`                                          | Display a link to the scan report in the Cycode platform in the console output.                                        |
 | `--no-restore`                                             | When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!                      |
-| `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from the project root directory ONLY!              |
+| `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from 
+| `--maven-settings-file`                                | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when scanning for dependencies               |
 | `--help`                                                   | Show options for given command.                                                                                        |
 
 | Command                                | Description                                                     |

cycode/cli/apps/scan/scan_command.py

@@ -88,6 +88,16 @@ def scan_command(
             rich_help_panel=_SCA_RICH_HELP_PANEL,
         ),
     ] = False,
+    maven_settings_file: Annotated[
+        Optional[Path],
+        typer.Option(
+            '--maven-settings-file',
+            show_default=False,
+            help='When specified, Cycode will use this settings.xml file when building the maven dependency tree.',
+            dir_okay=False,
+            rich_help_panel=_SCA_RICH_HELP_PANEL,
+        ),
+    ] = None,
     export_type: Annotated[
         ExportTypeOption,
         typer.Option(
@@ -143,6 +153,7 @@ def scan_command(
     ctx.obj['sync'] = sync
     ctx.obj['severity_threshold'] = severity_threshold
     ctx.obj['monitor'] = monitor
+    ctx.obj['maven_settings_file'] = maven_settings_file
     ctx.obj['report'] = report
 
     scan_client = get_scan_cycode_client(ctx)

cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py

@@ -24,7 +24,12 @@ def is_project(self, document: Document) -> bool:
         return path.basename(document.path).split('/')[-1] == BUILD_MAVEN_FILE_NAME
 
     def get_commands(self, manifest_file_path: str) -> list[list[str]]:
-        return [['mvn', 'org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom', '-f', manifest_file_path]]
+        command = ['mvn', 'org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom', '-f', manifest_file_path]
+
+        maven_settings_file = self.ctx.obj.get('maven_settings_file')
+        if maven_settings_file:
+            command += ['-s', str(maven_settings_file)]
+        return [command]
 
     def get_lock_file_name(self) -> str:
         return join_paths('target', MAVEN_CYCLONE_DEP_TREE_FILE_NAME)
@@ -46,7 +51,7 @@ def try_restore_dependencies(self, document: Document) -> Optional[Document]:
 
     def restore_from_secondary_command(self, document: Document, manifest_file_path: str) -> Optional[Document]:
         restore_content = execute_commands(
-            commands=create_secondary_restore_commands(manifest_file_path),
+            commands=self.create_secondary_restore_commands(manifest_file_path),
             timeout=self.command_timeout,
             working_directory=self.get_working_directory(document),
         )
@@ -61,10 +66,8 @@ def restore_from_secondary_command(self, document: Document, manifest_file_path:
             absolute_path=restore_file_path,
         )
 
-
-def create_secondary_restore_commands(manifest_file_path: str) -> list[list[str]]:
-    return [
-        [
+    def create_secondary_restore_commands(self, manifest_file_path: str) -> list[list[str]]:
+        command = [
             'mvn',
             'dependency:tree',
             '-B',
@@ -73,4 +76,9 @@ def create_secondary_restore_commands(manifest_file_path: str) -> list[list[str]
             manifest_file_path,
             f'-DoutputFile={MAVEN_DEP_TREE_FILE_NAME}',
         ]
-    ]
+
+        maven_settings_file = self.ctx.obj.get('maven_settings_file')
+        if maven_settings_file:
+            command += ['-s', str(maven_settings_file)]
+
+        return [command]