cli
cli copied to clipboard
snyk
Can't import build.gradle.kts as github repository
-
node -v: -
npm -v: -
snyk -v: - Command run: N/A
Expected behaviour
Want to be able to import github repository containing build.gradle.kts files so that it does security checks as part of PR checks
Actual behaviour
get import error:
- Could not detect supported target files. Please see our documentation for supported languages and target files. 0 projects created
Steps to reproduce
try and and import project containing build.gradle.kts files
I know that it's supported via the CLI tool, but it feels like a half-baked solution compared to using build.gradle files
If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.
Not clear to me why it would care what script format you're using, wouldn't it make more sense to check for ./gradlew instead, and just have gradle spit out a dependency graph for you?
Hi @martintreurnicht! We do have this on our radar and would love to support it on SCM too, it is not as trivial at it may seem as CLI and Github are so wildly different.
On the CLI we have a configured environment, we have access to the build tool and can lean on it heavily. But on Github we are left to analyse the files as text. build.gradle and build.gradle.kts are very similar yet very different in syntax, so this would require reworking our entire current solution for build.sbt to also support build.gradle.kts
I will check internally when this is feature is planned :)
@lili2311 I see, thanks for the feedback. This would be huge for us, it would be great to get a better idea of what the timeline for this is.
On an unrelated note, scanning the build script for dependencies seems like a risky business though, some gradle projects can get quite complex, for instance we have a bunch of dependencies that are being applied dynamically from our buildSrc using plugins. How does it resolve those? It seems that the only sensible way to do it would be for gradle to generate the graph, otherwise you'd basically have to reimplement gradle's dependency graph logic, which seems super unreliable because it changes all the time
Hey, we use this a lot in our workplace where synk enterprise is used. Would be amazing to have this support.
Hi @lili2311 , I was wondering, if this is something we can see soon? gradle-kotlin-dsl is becoming more and more popular at my work, and we are really missing synk github pull request checks.
Checking in...Is support for build.gradle.kts on the roadmap yet? Currently evaluating Snyk for our Gitlab projects and have a number of Kotlin projects we'd love to have Snyk pr checks for. 🙏
Bumping this topic as well. Currently there is no way it seems to actively monitor a Kotlin+Spring project from Github when using Gradle and build.gradle.kts.
hi @sandersiim @tyanko1 @satyamagarwal and others, just to give an update here we are going to start working on adding support for this in the second half of the year, this might stretch into next year as well depending on discovery. We should have more detailed information available once some discovery work is done in H2.