google
feat: support parsing `gradle/verification-metadata.xml`
This adds support for parsing gradle/verification-metadata.xml files - since this seems to be like an actual lockfile it's very straightforward: we just parse the file as XML and extract out the name + version of "component".
The interesting part of this is that unlike other project-relative lockfiles this file currently must exist in the gradle directory which raises questions about how --recursive comes into play previously we'd not enabled APK and DPKG checking by default but I feel that was more because they were absolute paths and so didn't make sense to do when people were scanning in "project mode".
For now I've just taken the simple route of making the file gradle/verification-metadata.xml since that does just work (except for the "find parser" flow which checks against path.Base so that has the gradle omitted).
Resolves #915
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 64.14%. Comparing base (
1fa7d7a) to head (f89731a).
Additional details and impacted files
@@ Coverage Diff @@
## main #943 +/- ##
==========================================
+ Coverage 64.07% 64.14% +0.07%
==========================================
Files 146 147 +1
Lines 11983 12008 +25
==========================================
+ Hits 7678 7703 +25
Misses 3853 3853
Partials 452 452
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
@cuixq if you're requiring changes, could you submit a review requesting changes? The only outstanding change I know of that is needed is this one (which I'd completely forgotten about 😅), but that shouldn't hold up others reviewing it.
Also when we last discussed this, I believe some research was going to be done into the Maven ecosystem to determine how appropriate supporting this file was, which was to be done by @cuixq