scancode-toolkit icon indicating copy to clipboard operation
scancode-toolkit copied to clipboard

Published 20 hours ago verified publisher icon nexB

packagecode: gradle nebula dependency lock parser

Open tardyp opened this issue 2 years ago • 5 comments

Short Description

gradle is a build tool for the ajva ecosystem especially popular in android apps.

nebula gradle dependency lock allows developer to lock their gradle dependencies and sub dependencies to specific versions packagecode should be able to parse this simple information

Possible Labels

  • new feature
  • package scan

Select Category

  • [ ] Enhancement
  • [ ] Add License/Copyright
  • [x] Scan Feature
  • [ ] Packaging
  • [ ] Documentation
  • [ ] Expand Support
  • [ ] Other

Describe the Update

lock format is documented here:

https://github.com/nebula-plugins/gradle-dependency-lock-plugin/wiki/Usage#lock-file-format

It is a simple json format that clearly shows the packages and versions. Should be quite easy to parse

How This Feature will help you/your organization

This will have using scancode to extract our gradle dependencies.

Possible Solution/Implementation Details

Example/Links if Any

Can you help with this Feature

Renault will probably contribute this feature in the next month

tardyp avatar Nov 19 '21 11:11 tardyp

@tardyp note that I have done quite a bit of research on how to parse gradle builds at least the Groovy kind, and we could likely consider the Kotlin kind too

pombredanne avatar Nov 26 '21 08:11 pombredanne

@pombredanne That particular request is about nebula kind of package locks.

nebula looks like the poetry of gradle. Cool kids use it instead of the default gradle pinning method. I don't think it is really about kotlin, but just as Poetry.lock is another file format as requirement.txt or Pipfile.lock.

Big advantage I see is that it is a lockfile and there is no need to run the gradle toolchain to extract the info. It is just a json file.

tardyp avatar Nov 26 '21 08:11 tardyp

@tardyp FYI @JonoYang is contributing some support for gradle in #2822

pombredanne avatar Feb 02 '22 07:02 pombredanne

I think we should also support first the standard Gradle lockfile: https://docs.gradle.org/current/userguide/dependency_locking.html

  • Names: gradle.lockfile and buildscript-gradle.lockfile`
  • Content: This is an ini or properties-like file:

Each line still represents a single dependency in the group:artifact:version notation It then lists all configurations that contain the given dependency Module and configurations are ordered alphabetically, to ease diffs The last line of the file lists all empty configurations, that is configurations known to have no dependencies

# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
org.springframework:spring-beans:5.0.5.RELEASE=compileClasspath, runtimeClasspath
org.springframework:spring-core:5.0.5.RELEASE=compileClasspath, runtimeClasspath
org.springframework:spring-jcl:5.0.5.RELEASE=compileClasspath, runtimeClasspath
empty=annotationProcessor

pombredanne avatar Aug 04 '22 06:08 pombredanne

Indeed... FWIW on my side we did not implement nebula after learning that Nebula is not anymore supported in more recent version of Android (as I was told).

We currently generate the dependency tree manually at project milestones :( Good news that gradle now has standard dependency locking, I will ping my devs if they can use that.

tardyp avatar Aug 04 '22 08:08 tardyp

I think we should also support first the standard Gradle lockfile: https://docs.gradle.org/current/userguide/dependency_locking.html

Indeed. I believe this should be closed in favor of only supporting the Gradle built-in dependency locking mechanism.

sschuberth avatar Dec 09 '22 07:12 sschuberth