Support Gradle root project with custom buildFileName in Dependency Scanning

Note to wider-community, sales, support and customer success

As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.

If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.

Release notes

Problem to solve

GitLab Dependency Scanning can't process a Gradle build unless the build file of the root project is named build.gradle or build.gradle.kts.

Intended users

User experience goal

Further details

build.gradle is the default filename for Gradle build files, but this can be changed in the project settings, in settings.gradle.

Gradle projects are scanned by the gemmansium-maven analyzer. As a result of gitlab-org/security-products/analyzers/gemnasium-maven!131 (merged), gemnasium-maven should be able to process any Gradle build files, even if they have a custom filename. However, the CI template only triggers gemnasium-maven-dependency_scanning scanning jobs for git repositories with a build.gradle or build.gradle.kts file.

Proposal

Change the CI template, and update the rules:exist of the gemnasium-maven-dependency_scanning to match settings.gradle and settings.gradle.kts.

Others changes might be needed in the gemnasium-maven analyzer. To be checked.

Permissions and Security

No change

Documentation

To be documented in Dependency Scanning docs.

Availability & Testing

To be tested in specific branches of the Secure test projects for Gradle:

• https://gitlab.com/gitlab-org/security-products/tests/java-gradle
• https://gitlab.com/gitlab-org/security-products/tests/java-gradle-multimodules

Available Tier

GitLab Ultimate

What does success look like, and how can we measure that?

A Gradle multi-project build is properly scanned even when the build file of the root project isn't named build.gradle.

What is the type of buyer?

Is this a cross-stage feature?

No

Links / references

/cc @NicoleSchwartz @gonzoyumo @ifrenkel