Dependency Scanning for Java Gradle projects
Problem to solve
Make Dependency Scanning scan Java Gradle projects.
Further details
Currently GitLab Dependency Scanning is able to scan Java Maven projects but does not support Java Gradle. See Supported languages and package managers.
Maven projects are scanned by the gemnasium-maven analyzer, which relies on the Gemnasium Maven Plugin to build the list of the project dependencies. This can't work with Gradle projects because the dependencies are declared in a Gradle configuration file, not in a POM XML file.
Proposal
- port the Gemnasium Maven Plugin
- build a dependency list for given Gradle project
- turn that list into a JSON document; see
Plugin output
- update gemnasium-maven
- change project detection and respond to Gradle file
- integrate the new Gemnasium Gradle plugin
- switch between the two plugins depending on the detected files
This would be similar to gemnasium-python which can handle multiple package managers.
It makes sense to reuse the existing gemnasium-maven because Gemnasium will detect Maven packages hosted on Maven Central.
Update dependency-scanning (update Go module gemnasium-maven
) and release a new version. This is needed so that legacy Docker-in-Docker based Dependency Scanning detects Gradle projects.
Plugin output
The Gemnasium Gradle plugin generates a JSON array of dependency objects.
A dependency MUST have these fields:
-
groupId
(string) -
artifactId
(string) -
version
(string)
See current implementation of the parser.
The array SHOULD NOT contain duplicates, though this is something we can remediate in the parser if needed.
A dependency MAY have these extra fields:
-
classifier
(string) -
scope
(string) -
transitive
(boolean) -
parents
(array ofgroupId:artifactId
strings) -
optional
(boolean) -
requirement
(string)
See document generated by the Gemnasium Maven plugin:
TODO: establish which fields don't apply to Gradle dependencies, if any.
Documentation
To be documented in Supported languages and package managers
Testing
To be tested with a specific Gradle test project, to be added to security-products/tests
At least two test projects are needed:
- Gradle 4.0 or later
- Gradle 3.x or earlier
If https://gitlab.com/gitlab-org/gitlab-ee/issues/10658 is completed, update the CI configuration of gemnasium-maven
(possibly renamed to gemnasium-java
) to test it against:
- Gradle projects (2 versions)
- Maven projects (single POM and multi-module)
Implementation plan
-
define an output format for the Gemnasium Gradle Plugin -
port the Gemnasium Maven Plugin to Gradle -
update java-gradle
test project and add vulnerable dependencies as well as qa expectation file -
integrate Gemnasium Gradle Plugin into gemnasium-maven, integrate test projects for QA, release a new version; see gitlab-org/security-products/analyzers/gemnasium-maven!17 (merged) -
update dependency-scanning project -
update documentation to add new dependency capability
What does success look like, and how can we measure that?
Dependency Scanning CI jobs succeeds instead of failing with the No compatible analyzer can be found
error.