Dependency Scanning for Gradle
Problem to solve
Make Dependency Scanning scan Java Gradle projects.
Currently GitLab Dependency Scanning is able to scan Java Maven projects but does not support Java Gradle. See Supported languages and package managers.
Maven projects are scanned by the gemnasium-maven analyzer, which relies on the Gemnasium Maven Plugin to build the list of the project dependencies. This can't work with Gradle projects because the dependencies are declared in a Gradle configuration file, not in a POM XML file.
- port the Gemnasium Maven Plugin
- build a dependency list for given Gradle project
- turn that list into a JSON document; see
- update gemnasium-maven
- change project detection and respond to Gradle file
- integrate the new Gemnasium Gradle plugin
- switch between the two plugins depending on the detected files
This would be similar to gemnasium-python which can handle multiple package managers.
To be defined: rename
Alternatively, fork gemnasium-maven and create a new
gemnasium-gradle project. Forking the project makes more sense if the Maven plugin and the Gradle plugin don't generate the same JSON output.
If https://gitlab.com/gitlab-org/gitlab-ee/issues/12487 is still open, update dependency-scanning (update Go module
gemnasium-maven, or import
gemnasium-gradle) and release a new version. Otherwise update the job template for
gemnasium-maven, or create a new one for
The Gemnasium Gradle plugin generates a JSON array of dependency objects.
A dependency MUST have these fields:
The array SHOULD NOT contain duplicates, though this is something we can remediate in the parser if needed.
A dependency MAY have these extra fields:
TODO: establish which fields don't apply to Gradle dependencies, if any.
To be documented in Supported languages and package managers
To be tested with a specific Gradle test project, to be added to security-products/tests
At least two test projects are needed:
- Gradle 4.0 or later
- Gradle 3.x or earlier
If https://gitlab.com/gitlab-org/gitlab-ee/issues/10658 is completed, update the CI configuration of
gemnasium-maven (possibly renamed to
gemnasium-java) to test it against:
- Gradle projects (2 versions)
- Maven projects (single POM and multi-module)
What does success look like, and how can we measure that?
Dependency Scanning CI jobs succeeds instead of failing with the
No compatible analyzer can be found error.