Support Gradle root project with custom buildFileName in Dependency Scanning
Note to wider-community, sales, support and customer success
As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!
NOTE if you are a user who also would like to see this feature, please UPVOTE
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
Release notes
Problem to solve
GitLab Dependency Scanning can't process a Gradle build unless the build file of the root project is named build.gradle
or build.gradle.kts
.
Intended users
User experience goal
Further details
build.gradle
is the default filename for Gradle build files, but this can be changed in the project settings, in settings.gradle
.
Gradle projects are scanned by the gemmansium-maven analyzer. As a result of gitlab-org/security-products/analyzers/gemnasium-maven!131 (merged), gemnasium-maven should be able to process any Gradle build files, even if they have a custom filename. However, the CI template only triggers gemnasium-maven-dependency_scanning
scanning jobs for git repositories with a build.gradle
or build.gradle.kts
file.
Proposal
Change the CI template, and update the rules:exist
of the gemnasium-maven-dependency_scanning
to match settings.gradle
and settings.gradle.kts
.
Others changes might be needed in the gemnasium-maven analyzer. To be checked.
Permissions and Security
No change
Documentation
To be documented in Dependency Scanning docs.
Availability & Testing
To be tested in specific branches of the Secure test projects for Gradle:
- https://gitlab.com/gitlab-org/security-products/tests/java-gradle
- https://gitlab.com/gitlab-org/security-products/tests/java-gradle-multimodules
Available Tier
What does success look like, and how can we measure that?
A Gradle multi-project build is properly scanned even when the build file of the root project isn't named build.gradle
.
What is the type of buyer?
Is this a cross-stage feature?
No