Skip to content

Use PURL type "maven" for Gradle specified dependencies

What does this MR do?

According to the PURL specification at https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst

"gradle" for Gradle plugins "maven" for Maven JARs and related artifacts

Gemnasium doesn't currently support extraction of Gradle plugin infromation; all Gradle dependencies extracted by Gemnasium are Maven JARs and related artifacts.

Therefore, dependencies specified by the Gradle package manager should use the PURL type of "maven"

This change allows SBOMs produced by Gemansium to be consumed by Trivy. See https://github.com/aquasecurity/trivy/issues/2886

What are the relevant issue numbers?

gitlab-org/gitlab#374043 (closed)

Does this MR meet the acceptance criteria?

Edited by Fabien Catteau

Merge request reports