Engineering Research: Dependency Scanning for Java Gradle
Investigate on how to implement Java Gradle for Dependency Scanning. Two options are considered:
- Port Gemnasium Maven to Gradle (selected proposal)
- Build a wrapper for Dependency Check (not selected)
After investigation it's been decided to port Gemnasium Maven to Gradle. See https://gitlab.com/gitlab-org/gitlab-ee/issues/9742#note_212420439
This is an engineering research issue and implementation is covered by https://gitlab.com/gitlab-org/gitlab-ee/issues/13075.
Possible options
Port Gemnasium Maven
Port the Gemnasium Maven Plugin in order to list the dependencies of Gradle projects, and generate an output that the gemnasium analyzer can consume. See sample output.
Two sub-options:
- fork the gemnasium-maven, make the fork detect Gradle projects and run the Gemnasium Gradle plugin
- make gemnasium-maven generic so that it can detect both Maven and Gradle projects, and run the compatible plugin to list the project dependencies
Pros:
- Smaller footprint, runs faster
- Lower complexity, making it easier to navigate the code
- No technical discrepancies - developers familiar with the Gemnasium analyzers can maintain this new analyzer right away
- Consistency of behavior, options and integration - the options are the ones already exposed by Dependency Scanning, with possibly the addition of new ones specific to Gradle
And overall it would be easier for the ~"Secure::Software Composition Analysis" team at GitLab to maintain the code and respond to customer requests.
Cons:
- Lack of skills to port the Gemnasium Maven Plugin to Gradle
- Vulnerabilities may be missing until https://gitlab.com/gitlab-org/gitlab-ee/issues/12316 is done.
See https://gitlab.com/gitlab-org/gitlab-ee/issues/9742#note_192885454
Build a wrapper for Dependency Check
Create a new analyzer for Dependency Scanning that wraps Dependency Check. This is possible because Dependency Check (DC) can scan Gradle projects and generate a JSON report. The scanning tool is available as a Docker image, which proves that it can run in a Docker container, like any GitLab Dependency Scanning analyzer. The options of Dependency Check have to be set in such a way that it only scans Gradle projects.
Dependency Check leverages the NVD vulnerability database and uses pattern matching to match a CPE with a Maven or Gradle artifact. It relies on a database to achieve that efficiently.
Pros:
- Dependency Check can already leverage the NVD vuln. database to scan vulnerability in Gradle dependencies. It's proven to work.
Cons:
- It's complex, made of multiple components, and relies on a DB. This doesn't fit well a CI job.
- It provides more than we need, which possibly generates maintenance cost.
- The options it provides do not directly match the ones exposed by Dependency Scanning (integration).
See https://gitlab.com/gitlab-org/gitlab-ee/issues/9742#note_193728120