Draft: feat: initial gradle implementation

[henrysachs]

Based on the Ideas in: #707 I'm trying to implement gradle support. This Implementation won't try to be complete for all gradle use cases just because gradle itself is a programming language itself and some dependencies are calculated on build. I will contribute 2 cataloggers in here. One for gradle itself and one for the gradle lockfile. The latter having the better quality as with most package managers and lockfiles itself. I will just start this here as a draft to discuss the implentation in public.

with my initial implementation I already receive some dependencies like this:

  {
   "id": "51a6971a95a1dc7c",
   "name": "spring-boot-starter-web",
   "version": "3.0.0",
   "type": "",
   "foundBy": "java-gradle-cataloger",
   "locations": [],
   "licenses": [],
   "language": "",
   "cpes": [
    "cpe:2.3:a:spring-boot-starter-web:spring-boot-starter-web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot-starter-web:spring_boot_starter_web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot_starter_web:spring-boot-starter-web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot_starter_web:spring_boot_starter_web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot-starter:spring-boot-starter-web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot-starter:spring_boot_starter_web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot_starter:spring-boot-starter-web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot_starter:spring_boot_starter_web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot:spring-boot-starter-web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring-boot:spring_boot_starter_web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot:spring-boot-starter-web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring_boot:spring_boot_starter_web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring:spring-boot-starter-web:3.0.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:spring:spring_boot_starter_web:3.0.0:*:*:*:*:*:*:*"
   ],
   "purl": ""
  },

This is currently my sample project for testing: https://github.com/henrysachs/sample-kotlin-gradle-syft
Its just a project generated with: https://start.spring.io/ and adding some dependencies that sounded ok

@kzantow pinging you to further talk about the gradle implementation here

Co-authored-by: @bolshoytoster toasterbig@gmail.com
Signed-off-by: Henry Sachs Henry.Sachs@deutschebahn.com

[henrysachs]

oh i committed with my company smime. I will need to rewrite commits with a gpg key, but that shouldn't hold us back from talking about the code

[henrysachs]

and i just copied from the maven cataloger 😅

[henrysachs]

I just added lockfile support and it works like a charm:

  {
   "id": "18393ecd410ded46",
   "name": "jackson-annotations",
   "version": "2.14.1",
   "type": "",
   "foundBy": "java-gradle-lockfile-cataloger",
   "locations": [],
   "licenses": [],
   "language": "",
   "cpes": [
    "cpe:2.3:a:jackson-annotations:jackson-annotations:2.14.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jackson-annotations:jackson_annotations:2.14.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jackson_annotations:jackson-annotations:2.14.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jackson_annotations:jackson_annotations:2.14.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jackson:jackson-annotations:2.14.1:*:*:*:*:*:*:*",
    "cpe:2.3:a:jackson:jackson_annotations:2.14.1:*:*:*:*:*:*:*"
   ],
   "purl": ""
  },

as a sample entry here

[henrysachs]

Code is still really messy, but I wanted to give an update that i'm working on things right here 😅

[henrysachs]

My next challenge is working on basic variable support and filling some properties from the pkg struct.
@bolshoytoster I would be happy if you take a look over the implementation and give me some feedback on missing features in your implementation as It wasn't that easy to read for me. 😅

[kzantow]

@henrysachs FWIW we're doing variable resolution for Maven (I understand this is distinctly different than Groovy): https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/java/parse_pom_xml.go#L128

[henrysachs]

yeah i would need to save the whole gradle file to do the same. Currently I parse the file line by line. But this looks cool! Because gradle can use parent and child files is there any way to read more than one file in syft?

[bolshoytoster]

@henrysachs

It wasn't that easy to read for me.

I don't blame you, it's horrifying to look at.

[henrysachs]

Hey @kzantow , I had some trouble through the christmas holidays and also caught covid my first time in 3 years. After beating it I had some time for the Merge Request. It now has Tests!! I'm quite happy with the initial work on the tests. There are probably more tests needed but could you take a initial look into it if i'm on the right track? I also upgraded the example gradle project to v8 but would probably need another one for v6. Also there needs to be an Kotlin based gradle project. If My first attempts at testing look promising I would like to extend those to the ones described above.

Also the Merge request is quite big, but I don't want to split it to be honest. I think its just the size because it adds a whole new catalogger.

[henrysachs]

also I have some issues with some tests that are failing locally that I haven't touched. I setup my environment like syft describes in its docs, but the error itself isn't helpful