Add details for fixing unresolved dependency error to the troubleshooting section of the Dependency Scanning docs
Problem to solve
We've recently received support tickets (#298299, #309817) related to an unresolved dependencies error produced by the gemnasiumDumpDependencies task of the gemnasium-gradle-plugin in gemnasium-maven:
> Task :gemnasiumDumpDependencies FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':gemnasiumDumpDependencies'.
> Project has 2 unresolved dependencies: org.jetbrains.kotlin:kotlin-test:1.5.10, org.jetbrains.kotlin:kotlin-test:1.5.10I also personally ran into the same issue in the gemnasium-gradle-plugin which I fixed in Update kotlin to 1.6.10 (gitlab-org/security-products/analyzers/gemnasium-gradle-plugin!26 - merged).
There's been a lot of confusion with regards to the above error:
Is this error caused because Dependency Scanning doesn't support kotlin?
No. kotlin has been officially supported by Dependency Scanning since Support build scripts using Gradle's Kotlin DSL... (#209345 - closed) was completed on June 4th, 2020. We also have a test to ensure that build.gradle.kts files can be used with gradle as expected.
Is this a bug in the GitLab Dependency Scanning analyzer (aka gemnasium-maven)?
Yes and no. The unresolved dependencies error is caused by a build.gradle (or build.gradle.kts) file which contains unresolved dependencies.
The issue that we're facing is that the "official" gradle method for outputting dependencies, aka the gradle dependencies task, is able to continue and produce meaningful output when an unresolved dependency is encountered, while the GitLab implementation, aka the gemnasium-maven analyzer, fails when an unresolved dependency is encountered.
This issue should hopefully be fixed by Replace gemnasium-gradle-plugin with the htmlDe... (#337083 - closed), but until this issue has been completed, you'll need to fix the build.gradle (or build.gradle.kts) file by adding the unresolved dependency. See this comment for one of the ways we've managed to fix this issue.
Background
To understand what's going on, we need to discuss how gemnasium-maven works:
Once gemnasium-maven detects a supported build file, such as build.gradle or build.gradle.kts, it executes the gradle or gradlew command, and passes an --init-script argument which executes the gemnasiumDumpDependencies task of the gemnasium-gradle-plugin project.
The gemnasiumDumpDependencies task attempts to build the gradle project from the given build.gradle file, resolves dependencies, and outputs the project dependencies to a gradle-dependencies.json file, which is then parsed by gemnasium-maven.
If a dependency cannot be resolved while building the gradle project, gemnasium-gradle-plugin will report the familiar unresolved dependencies error and does not produce a dependency graph:
$ git clone git@gitlab.com:gitlab-org/security-products/analyzers/gemnasium-gradle-plugin.git && \
cd gemnasium-gradle-plugin && \
git checkout 42c5ff41c25fceb561480b379f1886034a09d303
$ docker run -it --rm -e SECURE_LOG_LEVEL=debug \
-v "$PWD:/gemnasium-gradle-plugin-src" \
-w /gemnasium-gradle-plugin/src \
registry.gitlab.com/security-products/gemnasium-maven:2.27.4 \
bash -ic 'gradle -p /gemnasium-gradle-plugin-src --init-script /gemnasium-gradle-plugin-init.gradle gemnasiumDumpDependencies'
Welcome to Gradle 6.7.1!
> Task :gemnasiumDumpDependencies FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':gemnasiumDumpDependencies'.
> Project has 2 unresolved dependencies: org.jetbrains.kotlin:kotlin-test:1.5.10, org.jetbrains.kotlin:kotlin-test:1.5.10Since the gemnasiumDumpDependencies task relies on gradle to build the project, this error indicates an issue with the build.gradle file.
We can confirm the issue by running the gradle dependencies task directly, thereby removing gemnasium-maven and gemnasium-gradle-plugin from the equation:
$ git clone git@gitlab.com:gitlab-org/security-products/analyzers/gemnasium-gradle-plugin.git && \
cd gemnasium-gradle-plugin && \
git checkout 42c5ff41c25fceb561480b379f1886034a09d303
$ docker run -it --rm -e SECURE_LOG_LEVEL=debug \
-v "$PWD:/gemnasium-gradle-plugin-src" \
-w /gemnasium-gradle-plugin/src \
registry.gitlab.com/security-products/gemnasium-maven:2.27.4 \
bash -ic 'gradle -p /gemnasium-gradle-plugin-src dependencies'
Welcome to Gradle 6.7.1!
...
> Task :dependencies
...
functionalTestImplementationDependenciesMetadata
+--- org.jetbrains.kotlin:kotlin-stdlib:1.5.10
...
+--- org.jetbrains.kotlin:kotlin-test:1.5.10 FAILED
+--- org.jetbrains.kotlin:kotlin-test-junit:1.5.10
| +--- org.jetbrains.kotlin:kotlin-test:1.5.10 FAILEDAs can be seen from the above output, the org.jetbrains.kotlin:kotlin-test:1.5.10 dependency failed to resolve while executing the gradle dependencies task, however, the task still produced a dependency graph.
This is the main difference between the built-in gradle dependencies task and the gemnasium-gradle-plugin gemnasiumDumpDependencies task when encountering an unresolvable dependency:
- the built-in
gradle dependenciestask continues and produces a dependency graph. - the
gemnasium-gradle-plugin gemnasiumDumpDependenciestask halts immediately and outputs an error message and does not produce a dependency graph.
We currently have an open issue to Replace gemnasium-gradle-plugin with the htmlDe... (#337083 - closed) which will allow gemnasium-maven to recover from unresolved dependencies errors and still produce a dependency graph.
Proposal
The purpose of this issue is add details to the troubleshooting section of the Dependency Scanning docs to explain how to fix this unresolved dependencies error.
Implementation Plan
Add details to the troubleshooting section of the Dependency Scanning docs to explain how to fix this unresolved dependencies error:
If you encounter the error message:
Project has x unresolved dependencies:then this indicates a dependency resolution problem caused by yourgradle.buildorgradle.build.ktsfile. Currently,gemnasium-mavenis unable to continue processing when an unresolved dependency is encountered, however, we have an open issue to allowgemnasium-mavento recover from unresolved dependency errors and produce a dependency graph. Until this issue has been completed, you'll need to consult the Gradle dependency resolution docs for details on how to fix yourgradle.buildfile.
/cc @gonzoyumo @fcatteau @sam.white @greg @dannyjb