Report vulnerable dependency paths for Gradle
Problem to solve
Dependency Scanning should report the dependency paths for vulnerable dependencies found in Java projects using Maven or Gradle. These dependency paths can then be shown in the UI, including in the dependency list. See #227620 (closed)
Proposal
Update the lock file parser used to parse the JSON output of the Gemnasium plugins for Maven and Gradle (same output), and make it able to build the dependency graph.
Implementation plan
-
Add dependencies.lockfile to the Gradle package manager supported file names. -
Add directory scanner/parser/gradlewith two files -nebula.goandnebula_test.go. -
Ensure that the analyzer works e2e with a single project -
Ensure that the analyzer works e2e with a multi project monorepo -
Document support in the README of the analyzer. A separate issue will cover the larger documentation changes required for the new analyzer.
Permissions and Security
N/A
Documentation
We should document the support file names we detect, and how to generate them as part of Document graph export dependency scanning feature (#479219 - closed) • Russell Dickenson, Oscar Tovar • 17.5. The builtin Gradle lock file format does not support the full dependency paths. Because of this, the dependency paths feature won't be enabled if that's the only file found.
Availability & Testing
To be tested doing automatically when doing QA for the analyzer project and checking the generated report.
What does success look like, and how can we measure that?
The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.
What is the type of buyer?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.