Make all builders return exports for subprojects
What does this MR do?
Align maven
and gradle
builders with sbt
builders, and make them return the dependency graph exports for all sub-projects. As a consequence, the main loop is simplified and no longer contains code specific to Sbt projects.
The search mode is set to finder.SearchSingleDir
, which is consistent with gemnasium-python. The code that made the loop break
when processing mutli-build Sbt projects has been removed.
Many variables have been renamed in analyze.go
, to make a clear distinction between root projects and their children.
The maven
and gradle
builders leverage the functions introduced in the new exportpath
package:
-
Extract
extracts the paths of the JSON exports from the command line output. -
Split
isolate the export path for the root project from the export paths of the sub-projects.
As a result, the builders no longer need to know the filename of the JSON exports created by the Gemnasium plugins.
Finally, the builders no longer skip the execution of the Gemnasium plugin when the JSON export is already present. This was condition was met when JSON exports for sub-projects were passed to the builder, but this should no longer be the case. As a result, it's no longer possible to execute the Gemnasium plugin in a before_script
or user-defined build job, but this is not officially supported anyways.
This is a follow-up to !107 (merged).
Next step
A possible next step would be to make the builders return projects (a slice of finder.Project
). This would include:
- the sub-projects, along with dependency graph exports and build file, if any
- the root project itself, where the scannable dependency graph export has been added
Pros
- Builders are responsible for selecting the editable file and the scannable file. This a better separation of concerns.
- If we extend the
Project
struct to carry the project name, then builders can leverage that to propagate the names of the sub-projects, and ultimately this can be used to better present them in the Dependency List and in vulnerabilities. (Some sub-projects don't even have a specific build file.) - Builders only return one argument (plus
error
) instead of two (pluserror
). - Builders no longer return an error when the root project has no dependencies, but sub-projects have.
- Builders no longer the
exportpath.Split
function.
See !107 (diffs, comment 721523925)
What are the relevant issue numbers?
gitlab-org/gitlab#324626 (closed)
gitlab-org/gitlab#322346 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer