Refine Gemnasium's Response to Gradle Dependency Resolution Failures with Configurable Strictness

Problem

Gemnasium currently does not consistently reject Gradle projects that have unresolved dependencies, which means it may not provide a complete picture of a project's dependencies. This issue was surfaced by a recent update (Fail for gradle dependencies that failed to be resolved) that changed how dependency resolution status was understood by Gemnasium.

Solution

Revert the changes introduced in Add dependency resolution check to Gradle builder and update specs that changed how Gemnasium interprets unresolved dependencies. Introduce a new environment variable, DS_REQUIRE_RESOLVED_DEPENDENCIES, to allow users to control whether Gemnasium should enforce dependency resolution strictly or allow partial results when unresolved dependencies are detected.

Implementation Plan

  1. Revert Merge Request: Roll back the changes from Add dependency resolution check to Gradle builder and update specs.
  2. Add Environment Variable: Implement the DS_REQUIRE_RESOLVED_DEPENDENCIES variable, defaulting to true. When enabled, Gemnasium will fail the scan if unresolved dependencies are detected. If set to false, it will proceed with the scan and report partial results.
  3. Documentation: Update the troubleshooting documentation to explain the new environment variable, how to use it, and the implications of enabling or disabling it. Include references to the point about isCanBeResolved (see comment).
  4. Job Log Output: Update the job log output to include a direct link to the relevant section of the documentation when reporting a dependency resolution failure. This will allow customers to self-serve and address issues without needing to contact support.
  5. Testing: Ensure that the new configuration works as intended across different project setups.
  6. Notify Users: Communicate the changes to users, particularly those affected by the issue, and guide them on how to adjust their configurations accordingly (see comment).