Silenced errors in gemnasium-gradle-plugin
Summary
gemnasium-gradle-plugin
is used by the gemnasium-maven
analyzer to get dependencies for gradle
projects. When an error occurs during the execution of gemnasiumDumpDependencies command, no errors are surfaced and instead the message "No dependencies found in project." is shown. This could lead the user to the wrong conclusions with what happened in the job.
Steps to reproduce
Update your gradle project to point at a non-existent maven repository url:
repositories {
maven { url "https://example.com" }
}
Run /gradle-plugin-builder/gradlew build
:
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
> Could not resolve io.netty:netty:3.9.1.Final.
Required by:
project :
> Could not resolve io.netty:netty:3.9.1.Final.
> Could not get resource 'https://example.com/io/netty/netty/3.9.1.Final/netty-3.9.1.Final.pom'.
> Could not GET 'https://example.com/io/netty/netty/3.9.1.Final/netty-3.9.1.Final.pom'.
> example.com: Name or service not known
Run the plugin `` (you can do this by shelling into your project via the gemnasium-maven
image):
root@docker-desktop:/tmp/project# /gradle-plugin-builder/gradlew --init-script /gemnasium-gradle-plugin-init.gradle gemnasiumDumpDependencies
> Task :gemnasiumDumpDependencies
No dependencies found in project.
BUILD SUCCESSFUL in 1s
1 actionable task: 1 executed
Example Project
Here's a job where the analyzer passes successfully, but a /gradle-plugin-builder/gradlew build
step failing with the error No dependencies found in project.
: https://gitlab.com/gitlab-org/security-products/tests/java-gradle/-/jobs/553604286
What is the current bug behavior?
The analyzer hides the errors it encounters passing jobs that ought to fail otherwise.
What is the expected correct behavior?
The analyzer should throw the errors it encounters and the jobs it is part of should fail.
Implementation Plan
-
Update the walk function of the gemnasium-gradle-plugin to throw a GradleException
exception if the project has unresolved dependencies:val resolutionResult = configuration.incoming.resolutionResult val root = resolutionResult.root + if (root.dependencies.filterIsInstance<UnresolvedDependencyResult>().isNotEmpty()) { + throw GradleException("Project has unresolved dependencies") + } // Keep track of all direct dependencies directDependencies.addAll(root.dependencies.map { it.requested.displayName })
-
The buildGradle
function shouldn't need to be updated - it should automatically output the error provided by the modifiedgemnasium-gradle-plugin
from step1.
-
Add unit tests for the above behaviour -
Add manual test to https://gitlab.com/gitlab-org/security-products/tests/java-gradle test project -
job fails as expected when the project has unresolved dependencies:
> Task :gemnasiumDumpDependencies FAILED FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':gemnasiumDumpDependencies'. > Project has unresolved dependencies BUILD FAILED in 17s 1 actionable task: 1 executed exit status 1 ERROR: Job failed: exit code 1
- job passes when the project is valid and has no unresolved dependencies.
-
job fails as expected when the project has unresolved dependencies:
-
Update gemnasium-maven to use fixed v0.3.1 gemnasium-gradle-plugin