Skip to content

(fix)gradle: ignore (c) lines in the report (IDETECT-4760) #1602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 26, 2025
Merged

(fix)gradle: ignore (c) lines in the report (IDETECT-4760) #1602

merged 6 commits into from
Nov 26, 2025

Conversation

@bd-samratmuk
Copy link
Contributor

@bd-samratmuk bd-samratmuk commented Nov 19, 2025
edited
Loading

Root Cause
The GradleReportConfigurationParser was incorrectly parsing lines from the Gradle dependency report that represent constraints (indicated by a (c) suffix) and treating them as actual dependencies. This resulted in an inaccurate dependency graph where version constraints were mistakenly included as project dependencies. The actual resolved dependencies are listed elsewhere in the dependency tree, so these constraint lines should be ignored.

The Fix

  • Filter out and ignore any line that ends with (c). This ensures that only lines representing actual, resolved dependencies are passed to the GradleReportLineParser.
  • Added a functional test case for the same

Copilot AI reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a parsing issue in the Gradle dependency report configuration parser where constraint lines (marked with "(c)") were incorrectly treated as actual dependencies, leading to an inaccurate dependency graph.

Key Changes:

  • Added filtering logic to skip constraint lines ending with "(c)" in the dependency report
  • Ensures only actual resolved dependencies are parsed into the dependency graph

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

shantyk
shantyk reviewed Nov 19, 2025
View reviewed changes
...egration/detectable/detectables/gradle/inspection/parse/GradleReportConfigurationParser.java
children.add(parser.parseLine(line, metadata));
if (!line.trim().endsWith("(c)")) {
children.add(parser.parseLine(line, metadata));
}
Copy link
Contributor

@shantyk shantyk Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it at all possible for a dependency constraint to not be elsewhere in the tree? Based on what Gradle says “(c) - A dependency constraint, not a dependency. The dependency affected by the constraint occurs elsewhere in the tree.“ it sounds like the answer is no but I wonder if we should add a fallback ...

Copy link
Contributor Author

@bd-samratmuk bd-samratmuk Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is responsible for checking every line irrespective of the level hence it's added here as (c) can occur in any level.

shantyk
shantyk approved these changes Nov 19, 2025
View reviewed changes
Copy link
Contributor

@shantyk shantyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest adding a test case for a tree that has a transitive dependency constraint + rich version. @devmehtabd is more familiar with rich versions but it might be relevant.

@devmehtabd
Copy link
Contributor

devmehtabd commented Nov 19, 2025

I suggest adding a test case for a tree that has a transitive dependency constraint + rich version. @devmehtabd is more familiar with rich versions but it might be relevant.

We already have an integration test for gradle rich versions, so if that test passes, we should be good. But I suggest adding some functional or unit tests for the same.

@bd-samratmuk bd-samratmuk merged commit 170147b into master Nov 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shantyk shantyk shantyk approved these changes

@devmehtabd devmehtabd devmehtabd approved these changes

@zahidblackduck zahidblackduck zahidblackduck approved these changes

@dterrybd dterrybd Awaiting requested review from dterrybd

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bd-samratmuk @devmehtabd @shantyk @zahidblackduck