-
Notifications
You must be signed in to change notification settings - Fork 532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft: feat: initial gradle implementation #1407
base: main
Are you sure you want to change the base?
Conversation
Co-authored-by: @bolshoytoster <[email protected]> Signed-off-by: Henry Sachs <[email protected]>
oh i committed with my company smime. I will need to rewrite commits with a gpg key, but that shouldn't hold us back from talking about the code |
and i just copied from the maven cataloger 😅 |
Signed-off-by: Henry Sachs <[email protected]>
I just added lockfile support and it works like a charm:
as a sample entry here |
Code is still really messy, but I wanted to give an update that i'm working on things right here 😅 |
My next challenge is working on basic variable support and filling some properties from the pkg struct. |
@henrysachs FWIW we're doing variable resolution for Maven (I understand this is distinctly different than Groovy): https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/java/parse_pom_xml.go#L128 |
yeah i would need to save the whole gradle file to do the same. Currently I parse the file line by line. But this looks cool! Because gradle can use parent and child files is there any way to read more than one file in syft? |
I don't blame you, it's horrifying to look at. |
Signed-off-by: Henry Sachs <[email protected]>
upgrade gradle sample to gradle v8 fix package task not creating a executable jar fix gradle dependency parser crashing when scanning groovy gradle files feat add java metadata Signed-off-by: Henry Sachs <[email protected]>
Hey @kzantow , I had some trouble through the christmas holidays and also caught covid my first time in 3 years. After beating it I had some time for the Merge Request. It now has Tests!! I'm quite happy with the initial work on the tests. There are probably more tests needed but could you take a initial look into it if i'm on the right track? I also upgraded the example gradle project to v8 but would probably need another one for v6. Also there needs to be an Kotlin based gradle project. If My first attempts at testing look promising I would like to extend those to the ones described above. Also the Merge request is quite big, but I don't want to split it to be honest. I think its just the size because it adds a whole new catalogger. |
also I have some issues with some tests that are failing locally that I haven't touched. I setup my environment like syft describes in its docs, but the error itself isn't helpful |
Signed-off-by: Keith Zantow <[email protected]>
Signed-off-by: Keith Zantow <[email protected]>
Based on the Ideas in: #707 I'm trying to implement gradle support. This Implementation won't try to be complete for all gradle use cases just because gradle itself is a programming language itself and some dependencies are calculated on build. I will contribute 2 cataloggers in here. One for gradle itself and one for the gradle lockfile. The latter having the better quality as with most package managers and lockfiles itself. I will just start this here as a draft to discuss the implentation in public.
with my initial implementation I already receive some dependencies like this:
This is currently my sample project for testing: https://github.com/henrysachs/sample-kotlin-gradle-syft
Its just a project generated with: https://start.spring.io/ and adding some dependencies that sounded ok
@kzantow pinging you to further talk about the gradle implementation here
Co-authored-by: @bolshoytoster [email protected]
Signed-off-by: Henry Sachs [email protected]