Dependency Scanning incorrectly handles nested dependencies in Gradle project

Summary

A customer reported that for one of their project the log4j-core vulnerability was not detected. It appears that the package itself is not detected as part of the dependency tree, whereas calling gradlew dependencies shows it.

Extract from ./gradlew dependencies:

runtimeClasspath - Runtime classpath of source set 'main'.
<snip>
+--- org.apache.logging.log4j:log4j-api:2.13.2
+--- org.apache.logging.log4j:log4j-slf4j-impl:2.13.2
|    +--- org.slf4j:slf4j-api:1.7.25 -> 1.7.30
|    +--- org.apache.logging.log4j:log4j-api:2.13.2
|    \--- org.apache.logging.log4j:log4j-core:2.13.2
|         \--- org.apache.logging.log4j:log4j-api:2.13.2

Steps to reproduce

• build.gradle
• dependencies.json

Example Project

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Implementation Plan

1. Change the gemnasium-gradle-plugin to remove all filtering and instead output dependencies for all scopes. See this MR for a starting point.

   Remove de-duplication from dependency output (gitlab-org/security-products/analyzers/gemnasium-gradle-plugin!19 - merged)

2. Publish a new version of the gemnasium-gradle-plugin with the above changes.

   https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-gradle-plugin/-/jobs/2202996136

3. Update gemnasium to use the new version of the gemnasium-gradle-plugin published in step 2. above

   • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/22260f65066edff59f072c7c6ae6c43ba578320d/utils/gradle-plugin-builder/build.gradle#L5
   • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/22260f65066edff59f072c7c6ae6c43ba578320d/gemnasium-gradle-plugin-init.gradle#L8

4. Update gemnasium to remove duplicates from the gradle-dependencies.json file generated by the gemnasium-gradle-plugin.

   https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/8e6204d1375bae6ca698a36c2b376a39609db4b6/scanner/parser/mvnplugin/mvnplugin.go#L28-30

5. Add unit tests to gemnasium for the above behaviour

   https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/8e6204d1375bae6ca698a36c2b376a39609db4b6/scanner/parser/mvnplugin/mvnplugin_test.go

6. Add image integration tests to gemnasium to ensure dependencies for compile and implementation directives are the same, and that nested dependencies are present. This build.gradle file can be used for a test project with nested dependencies using the compile directive, and this build.gradle can be used for a test project with nested dependencies using the implementation directive.

   https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/7e056a7d6ce8a1c52ef47d3da3a1cdc56b14af59/spec/image_spec.rb#L94-110