Dependency Scanning for Java Gradle projects

Problem to solve

Make Dependency Scanning scan Java Gradle projects.

Further details

Currently GitLab Dependency Scanning is able to scan Java Maven projects but does not support Java Gradle. See Supported languages and package managers.

Maven projects are scanned by the gemnasium-maven analyzer, which relies on the Gemnasium Maven Plugin to build the list of the project dependencies. This can't work with Gradle projects because the dependencies are declared in a Gradle configuration file, not in a POM XML file.

Proposal

• port the Gemnasium Maven Plugin
  • build a dependency list for given Gradle project
  • turn that list into a JSON document; see Plugin output
• update gemnasium-maven
  • change project detection and respond to Gradle file
  • integrate the new Gemnasium Gradle plugin
  • switch between the two plugins depending on the detected files

This would be similar to gemnasium-python which can handle multiple package managers.

It makes sense to reuse the existing gemnasium-maven because Gemnasium will detect Maven packages hosted on Maven Central.

Update dependency-scanning (update Go module gemnasium-maven) and release a new version. This is needed so that legacy Docker-in-Docker based Dependency Scanning detects Gradle projects.

Plugin output

The Gemnasium Gradle plugin generates a JSON array of dependency objects.

A dependency MUST have these fields:

• groupId (string)
• artifactId (string)
• version (string)

See current implementation of the parser.

The array SHOULD NOT contain duplicates, though this is something we can remediate in the parser if needed.

A dependency MAY have these extra fields:

• classifier (string)
• scope (string)
• transitive (boolean)
• parents (array of groupId:artifactId strings)
• optional (boolean)
• requirement (string)

See document generated by the Gemnasium Maven plugin:

TODO: establish which fields don't apply to Gradle dependencies, if any.

Documentation

To be documented in Supported languages and package managers

Testing

To be tested with a specific Gradle test project, to be added to security-products/tests

At least two test projects are needed:

• Gradle 4.0 or later
• Gradle 3.x or earlier

If https://gitlab.com/gitlab-org/gitlab-ee/issues/10658 is completed, update the CI configuration of gemnasium-maven (possibly renamed to gemnasium-java) to test it against:

• Gradle projects (2 versions)
• Maven projects (single POM and multi-module)

Implementation plan

• define an output format for the Gemnasium Gradle Plugin
• port the Gemnasium Maven Plugin to Gradle
• update java-gradle test project and add vulnerable dependencies as well as qa expectation file
• integrate Gemnasium Gradle Plugin into gemnasium-maven, integrate test projects for QA, release a new version; see gitlab-org/security-products/analyzers/gemnasium-maven!17 (merged)
• update dependency-scanning project
• update documentation to add new dependency capability

What does success look like, and how can we measure that?

Dependency Scanning CI jobs succeeds instead of failing with the No compatible analyzer can be found error.

What is the type of buyer?

GitLab Ultimate

Customers

• https://na34.salesforce.com/0016100001ABpAc
• https://gitlab.my.salesforce.com/0016100001EogBS

Product Management - @NicoleSchwartz

• Release Post

/cc @NicoleSchwartz @gonzoyumo