feat: gradle lockfile support #1719
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if you're using gradle > 7.0 syft can now catalog your lockfile to have a sbom with confident results Signed-off-by: Henry Sachs <[email protected]>
Signed-off-by: Henry Sachs <[email protected]>
kzantow
reviewed
Apr 6, 2023
Signed-off-by: Henry Sachs <[email protected]>
Signed-off-by: Henry Sachs <[email protected]>
we split beforehand Signed-off-by: Henry Sachs <[email protected]>
kzantow
reviewed
Apr 6, 2023
Signed-off-by: Henry Sachs <[email protected]>
This was referenced Apr 11, 2023
Merged
spiffcs
added a commit
that referenced
this pull request
Apr 17, 2023
* main: (35 commits) Fix kernel cataloger test fixtures (#1742) feat: Support scanning license files in golang packages over the network (#1630) Add package-to-file location evidence relationships (#1698) Add Linux Kernel cataloger (#1694) Add annotations for evidence on package locations (#1723) add format make target (#1733) Update tests to not fail on Mac M1's. (#1730) chore(deps): update bootstrap tools to latest versions (#1728) Add support for nar files. (#1727) add highlevel details about catalogers (#1726) chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 (#1722) chore(deps): update stereoscope to e95d60a265e384df29b7a139f5c5402d6ad72e06 (#1721) feat: gradle lockfile support (#1719) chore(deps): bump github.com/docker/docker (#1715) chore(deps): bump golang.org/x/mod from 0.9.0 to 0.10.0 (#1713) chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 (#1714) chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#1716) chore(deps): bump peter-evans/create-pull-request from 4 to 5 (#1712) chore: update tools-golang to v0.5.0 (#1717) Add Nix cataloger (#1696) ... Signed-off-by: Christopher Phillips <[email protected]>
GijsCalis
pushed a commit
to GijsCalis/syft
that referenced
this pull request
Feb 19, 2024
Signed-off-by: Henry Sachs <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
if you're using gradle > 7.0 syft can now catalog your lockfile to have a sbom with confident results
I have run this against the following repo additionally: https://github.com/henrysachs/sample-kotlin-gradle-syft/tree/main
an example dependency that is evaluated from the lockfile looks like the following:
{ "id": "f413150a14998cae", "name": "spring-boot", "version": "3.0.0", "type": "java-archive", "foundBy": "java-gradle-lockfile-cataloger", "locations": [ { "path": "gradle.lockfile" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:spring-boot:spring-boot:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:spring-boot:spring_boot:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot:spring-boot:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot:spring_boot:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring-boot:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring_boot:3.0.0:*:*:*:*:*:*:*" ], "purl": "", "metadataType": "JavaMetadata" }I also committed the full file in the directory.
I noticed that it currently only works for gradle > 7.0 because gradle 6 was generating multiple files for dependency locking have a look into at here: https://docs.gradle.org/6.9.1/userguide/dependency_locking.html#single_lock_file_per_project
it is supported for 6 but not the default to generate a single lockfile
if we have a smart regex in place to scan all files in the dependency-locks/*.lockfile directory we could also scan the old lockfiles as they have the same format.