Add initial sources

.gitignore

@@ -10,3 +10,7 @@
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
+
+build/
+.idea/
+.gradle/

build.gradle

@@ -0,0 +1,20 @@
+group 'net.ossindex'
+version '1.0-SNAPSHOT'
+
+apply plugin: 'java'
+apply plugin: 'groovy'
+apply plugin: 'maven'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    compile gradleApi()
+    compile 'net.ossindex:ossindex-api:2.0.3'
+    //compile 'org.eclipse.aether:aether-api:1.1.0'
+    //compile 'org.eclipse.aether:aether-util:1.1.0'
+    testCompile 'junit:junit:4.12'
+}

settings.gradle

@@ -0,0 +1,2 @@
+rootProject.name = 'ossindex-gradle-plugin'
+

src/main/java/net/ossindex/gradle/OssIndexPlugin.java

@@ -0,0 +1,42 @@
+package net.ossindex.gradle;
+
+import net.ossindex.gradle.audit.DependencyAuditor;
+import net.ossindex.gradle.input.GradleArtifact;
+import net.ossindex.gradle.input.ArtifactGatherer;
+import net.ossindex.gradle.output.AuditResultReporter;
+import org.gradle.api.Plugin;
+import org.gradle.api.Project;
+import org.gradle.api.Task;
+import org.gradle.api.artifacts.ModuleVersionIdentifier;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Set;
+
+public class OssIndexPlugin implements Plugin<Project> {
+
+    private static final Logger logger = LoggerFactory.getLogger(OssIndexPlugin.class);
+
+    @Override
+    public void apply(Project project) {
+        Task audit = project.task("audit");
+        audit.doLast(this::doAudit);
+    }
+
+    private void doAudit(Task task) {
+        ArtifactGatherer gatherer = new ArtifactGatherer();
+        Set<GradleArtifact> gradleArtifacts = gatherer.gatherResolvedArtifacts(task.getProject());
+        DependencyAuditor auditor = new DependencyAuditor(gradleArtifacts);
+        AuditResultReporter reporter = new AuditResultReporter(gradleArtifacts);
+
+        logger.info(String.format("Found %s gradleArtifacts to audit", gradleArtifacts.size()));
+
+        try {
+            reporter.reportResult(auditor.runAudit());
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+
+}

src/main/java/net/ossindex/gradle/audit/DependencyAuditor.java

@@ -0,0 +1,53 @@
+package net.ossindex.gradle.audit;
+
+import net.ossindex.common.IPackageRequest;
+import net.ossindex.common.OssIndexApi;
+import net.ossindex.common.PackageDescriptor;
+import net.ossindex.gradle.input.GradleArtifact;
+
+import java.io.IOException;
+import java.util.*;
+
+public class DependencyAuditor {
+    private Map<PackageDescriptor, PackageDescriptor> parents = new HashMap<PackageDescriptor, PackageDescriptor>();
+    private IPackageRequest request = OssIndexApi.createPackageRequest();
+
+    public DependencyAuditor(Set<GradleArtifact> gradleArtifacts) {
+        addArtifactsToAudit(gradleArtifacts);
+    }
+
+    public Collection<MavenPackageDescriptor> runAudit() throws IOException {
+        List<MavenPackageDescriptor> results = new LinkedList<>();
+        Collection<PackageDescriptor> packages = request.run();
+        for (PackageDescriptor pkg : packages) {
+            MavenPackageDescriptor mvnPkg = new MavenPackageDescriptor(pkg);
+            if (parents.containsKey(pkg)) {
+                PackageDescriptor parent = parents.get(pkg);
+                if (parent != null) {
+                    mvnPkg.setParent(new MavenIdWrapper(parent));
+                }
+            }
+            results.add(mvnPkg);
+        }
+        return results;
+    }
+
+    private void addArtifactsToAudit(Set<GradleArtifact> gradleArtifacts) {
+        gradleArtifacts.forEach(this::addArtifact);
+    }
+
+    private void addPackageDependencies(PackageDescriptor parent, GradleArtifact gradleArtifact) {
+        PackageDescriptor pkgDep = new PackageDescriptor("maven", gradleArtifact.getGroup(), gradleArtifact.getName(), gradleArtifact.getVersion());
+        if (!parents.containsKey(pkgDep)) {
+            pkgDep = request.add("maven", gradleArtifact.getGroup(), gradleArtifact.getName(), gradleArtifact.getVersion());
+            parents.put(pkgDep, parent);
+        }
+    }
+
+    private void addArtifact(GradleArtifact gradleArtifact) {
+        PackageDescriptor parent = request.add("maven", gradleArtifact.getGroup(), gradleArtifact.getName(), gradleArtifact.getVersion());
+        parents.put(parent, null);
+        gradleArtifact.getAllChildren().forEach(c -> addPackageDependencies(parent, c));
+    }
+
+}

src/main/java/net/ossindex/gradle/audit/MavenIdWrapper.java

@@ -0,0 +1,118 @@
+package net.ossindex.gradle.audit;
+
+import net.ossindex.common.PackageDescriptor;
+
+public class MavenIdWrapper {
+
+    protected String groupId;
+    protected String artifactId;
+    protected String version;
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+
+        MavenIdWrapper that = (MavenIdWrapper) o;
+
+        return getMavenVersionId() != null ? getMavenVersionId().equals(that.getMavenVersionId()) : that.getMavenVersionId() == null;
+    }
+
+    @Override
+    public int hashCode() {
+        return getMavenVersionId() != null ? getMavenVersionId().hashCode() : 0;
+    }
+
+    /**
+     * Required for serialization
+     */
+    public MavenIdWrapper() {
+
+    }
+
+    public MavenIdWrapper(PackageDescriptor pkg) {
+        this.setGroupId(pkg.getGroup());
+        this.setArtifactId(pkg.getName());
+        this.setVersion(pkg.getVersion());
+    }
+
+    /**
+     * @return the groupId
+     */
+    public String getGroupId() {
+        return groupId;
+    }
+
+    /**
+     * @param groupId the groupId to set
+     */
+    public void setGroupId(String groupId) {
+        this.groupId = groupId;
+    }
+
+    /**
+     * @return the artifactId
+     */
+    public String getArtifactId() {
+        return artifactId;
+    }
+
+    /**
+     * @param artifactId the artifactId to set
+     */
+    public void setArtifactId(String artifactId) {
+        this.artifactId = artifactId;
+    }
+
+    /**
+     * @return the version
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * @param version the version to set
+     */
+    public void setVersion(String version) {
+        this.version = version;
+    }
+
+    /**
+     * Get the Maven ID excluding the version
+     *
+     * @return the Maven ID
+     */
+    public String getMavenPackageId() {
+        StringBuilder sb = new StringBuilder();
+        if (groupId != null) {
+            sb.append(groupId);
+        }
+        sb.append(":");
+        if (artifactId != null) {
+            sb.append(artifactId);
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Get the maven ID including the version
+     *
+     * @return the maven ID
+     */
+    public String getMavenVersionId() {
+        StringBuilder sb = new StringBuilder();
+        if (groupId != null) {
+            sb.append(groupId);
+        }
+        sb.append(":");
+        if (artifactId != null) {
+            sb.append(artifactId);
+        }
+        sb.append(":");
+        if (version != null) {
+            sb.append(version);
+        }
+        return sb.toString();
+    }
+}

src/main/java/net/ossindex/gradle/audit/MavenPackageDescriptor.java

@@ -0,0 +1,76 @@
+package net.ossindex.gradle.audit;
+
+import net.ossindex.common.PackageDescriptor;
+import net.ossindex.common.VulnerabilityDescriptor;
+import org.gradle.internal.impldep.com.google.gson.annotations.SerializedName;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElementWrapper;
+import java.util.List;
+
+public class MavenPackageDescriptor extends MavenIdWrapper {
+
+    private MavenIdWrapper parent;
+
+    @XmlElement(name = "vulnerability-total")
+    @SerializedName("vulnerability-total")
+    private int vulnerabilityTotal;
+
+    @XmlElement(name = "vulnerability-matches")
+    @SerializedName("vulnerability-matches")
+    private int vulnerabilityMatches;
+
+    @XmlElementWrapper(name = "vulnerabilities")
+    @XmlElement(name = "vulnerability")
+    private List<VulnerabilityDescriptor> vulnerabilities;
+
+    /**
+     * Constructor required by jaxb
+     */
+    public MavenPackageDescriptor() {
+
+    }
+
+    public MavenPackageDescriptor(PackageDescriptor pkg) {
+        groupId = pkg.getGroup();
+        artifactId = pkg.getName();
+        version = pkg.getVersion();
+        vulnerabilityTotal = pkg.getVulnerabilityTotal();
+        vulnerabilityMatches = pkg.getVulnerabilityMatches();
+        vulnerabilities = pkg.getVulnerabilities();
+    }
+
+    public void setParent(MavenIdWrapper parent) {
+        this.parent = parent;
+    }
+
+    public MavenIdWrapper getParent() {
+        return parent;
+    }
+
+    /**
+     * Get the total number of vulnerabilities for the package identified on the server.
+     *
+     * @return Total number of vulnerabilities.
+     */
+    public int getVulnerabilityTotal() {
+        return vulnerabilityTotal;
+    }
+
+    /**
+     * Get the total number of vulnerabilities matching the supplied version.
+     *
+     * @return Number of matching vulnerabilities
+     */
+    public int getVulnerabilityMatches() {
+        return vulnerabilityMatches;
+    }
+
+    /**
+     * Get vulnerabilities belonging to this package.
+     */
+    public List<VulnerabilityDescriptor> getVulnerabilities() {
+        return vulnerabilities;
+    }
+
+}

src/main/java/net/ossindex/gradle/audit/OssIndexResultsWrapper.java

@@ -0,0 +1,34 @@
+package net.ossindex.gradle.audit;
+
+import net.ossindex.gradle.audit.MavenPackageDescriptor;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElementWrapper;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.util.Collection;
+
+@XmlRootElement(name = "OssIndex")
+public class OssIndexResultsWrapper {
+
+        private Collection<MavenPackageDescriptor> packages;
+
+        public OssIndexResultsWrapper() {
+
+        }
+
+        public OssIndexResultsWrapper(Collection<MavenPackageDescriptor> results) {
+                this.setPackages(results);
+        }
+
+        public Collection<MavenPackageDescriptor> getPackages() {
+                return packages;
+        }
+
+        @XmlElementWrapper(name="packages")
+        @XmlElement(name = "package")
+        public void setPackages(Collection<MavenPackageDescriptor> packages) {
+                this.packages = packages;
+        }
+
+}
+

src/main/java/net/ossindex/gradle/input/ArtifactGatherer.java

@@ -0,0 +1,19 @@
+package net.ossindex.gradle.input;
+
+import org.gradle.api.Project;
+import org.gradle.api.artifacts.Configuration;
+
+import java.util.Set;
+import java.util.stream.Collectors;
+
+public class ArtifactGatherer {
+    public Set<GradleArtifact> gatherResolvedArtifacts(Project project) {
+        return project
+                .getConfigurations()
+                .stream()
+                .filter(Configuration::isCanBeResolved)
+                .flatMap(c -> c.getResolvedConfiguration().getFirstLevelModuleDependencies().stream())
+                .map(it -> new GradleArtifact(null, it))
+                .collect(Collectors.toSet());
+    }
+}