Skip to content

Updated gradle-dep-tree plugin and added support included builds #611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: dev
Choose a base branch
from
Open

Updated gradle-dep-tree plugin and added support included builds #611

wants to merge 7 commits into from
+889 −36

Conversation

@michaelm-jf
Copy link

@michaelm-jf michaelm-jf commented Nov 25, 2025
edited by attiasas
Loading

  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....
  • All static analysis checks passed.
  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • Updated the Contributing page / ReadMe page / CI Workflow files if needed.
  • All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

Depends on:

  • Updated the gradle-dep-tree plugin, which has a new "use included builds" param
  • Added support to configure the above param
  • Updated the 'DepTreeNode' json structure to match the plugin output
  • Added a UT that uses the new param, and a sample gradle project that uses composite builds

@michaelm-jf
Merge branch 'dev' into use-included-builds
47f7fa5 
# Conflicts:
#	commands/audit/auditbasicparams.go
#	commands/audit/auditparams.go
#	sca/bom/buildinfo/technologies/common.go
#	sca/bom/buildinfo/technologies/java/gradle.go
#	sca/bom/buildinfo/technologies/java/resources/gradle-dep-tree.jar
@michaelm-jf
Merge from dev
074fcec
@michaelm-jf michaelm-jf marked this pull request as ready for review November 27, 2025 11:33
@attiasas attiasas added new feature Automatically generated release notes safe to test Approve running integration tests on a pull request labels Nov 30, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 30, 2025
attiasas
attiasas requested changes Dec 2, 2025
View reviewed changes
Copy link
Contributor

@attiasas attiasas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, check out my comments

  1. You should create the new flag in the flag maps and attach it to the related command (similar to other flags in the file)
  2. I released the new version of the plugin with your changes. make sure you update and run the script that the v3.2.0 will be used and the embedded plugins test will pass
  3. make sure all tests are passing

cli/docs/flags.go
Exclusions = "exclusions"
IncludeDirs = "include-dirs"
UseWrapper = "use-wrapper"
UseIncludedBuilds = "use-included-builds"
Copy link
Contributor

@attiasas attiasas Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make sure to define the flag and assign it to the related command (similar to other flags in the file)

Copy link
Author

@michaelm-jf michaelm-jf Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added it to the 'flagsMap'

sca/bom/buildinfo/technologies/java/gradle.go
Comment on lines +166 to +167
"-Dcom.jfrog.includeAllBuildFiles=true",
fmt.Sprintf("-Dcom.jfrog.includeIncludedBuilds=%t", gdt.useIncludedBuilds)}
Copy link
Contributor

@attiasas attiasas Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are no issue using both flags, right?

Copy link
Author

@michaelm-jf michaelm-jf Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean 'includeAllBuildFiles' and 'includeIncludedBuilds' ? They're not exactly related, 'includeAllBuildFiles' was already present before my change. It's used for for the gradle subprojects not for gradle included builds

utils/xray/xrayutils.go
Comment on lines +13 to +14
Unresolved bool `json:"unresolved,omitempty"`
Configurations *[]string `json:"configurations,omitempty"`
Copy link
Contributor

@attiasas attiasas Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a use for them here other than the logs? do we want to skip unresolved?
please make sure Xray can scan those dependencies by adding a test scan on a similar project and making sure Xray can handle those deps

Copy link
Author

@michaelm-jf michaelm-jf Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'Configurations' is used to determine the dependency scope (direct, transitive, etc.). It contains values like 'compileOnly', 'testImplementaion', etc. which are in the Gradle spec.

'Unresolved' is not being used yet, I just added it to the struct in case we will want to take it into account.
I want to stress that those values are outputted by the gradle plugin but we just didn't unmarshall them into the struct

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@attiasas attiasas attiasas requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

new feature Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michaelm-jf @attiasas