From bc07607b19696d8c1dd6b976850f21af832868d5 Mon Sep 17 00:00:00 2001
From: Zvi Grinberg <zgrinber@redhat.com>
Date: Tue, 30 Apr 2024 15:13:21 +0300
Subject: [PATCH] fix: gradle component analsyis duplicates artifacts in sbom

Signed-off-by: Zvi Grinberg <zgrinber@redhat.com>
---
 src/providers/java_gradle.js               | 21 +++++++++++++++++++--
 test/it/test_manifests/gradle/build.gradle |  3 ++-
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/providers/java_gradle.js b/src/providers/java_gradle.js
index 721aebb..35df833 100644
--- a/src/providers/java_gradle.js
+++ b/src/providers/java_gradle.js
@@ -32,6 +32,17 @@ function stripString(depPart) {
 	return depPart.replaceAll(/["']/g,"")
 }
 
+/** this function checks whether a line from `gradle dependencies` output contains a version or not
+ *
+ * @param line the line from `gradle dependencies` output.
+ * @return {*|boolean}
+ */
+function containsVersion(line) {
+	let lineStriped = line.replace("(n)","").trim()
+	return (lineStriped.match(/\W*[a-z0-9.-]+:[a-z0-9.-]+:[0-9]+[.][0-9]+(.[0-9]+)?(.*)?.*/)
+		|| lineStriped.match(/.*version:\s?(')?[0-9]+[.][0-9]+(.[0-9]+)?(')?/)) && !lineStriped.includes("libs.")
+}
+
 export default class Java_gradle extends Base_java {
 
 	/**
@@ -210,10 +221,14 @@ export default class Java_gradle extends Base_java {
 		// transform gradle dependency tree to the form of maven dependency tree to use common sbom build algorithm in Base_java parent */
 		let arrayForSbom = lines.map(dependency => dependency.replaceAll("---", "-").replaceAll("    ", "  "))
 			.map(dependency => dependency.replaceAll(/:(.*):(.*) -> (.*)$/g, ":$1:$3"))
+			.map(dependency => dependency.replaceAll(/:(.*)\W*->\W*(.*)$/g, ":$1:$2"))
 			.map(dependency => dependency.replaceAll(/(.*):(.*):(.*)$/g, "$1:$2:jar:$3"))
 			.map(dependency => dependency.replaceAll(/(n)$/g), "")
 			.map(dependency => `${dependency}:compile`);
-		this.parseDependencyTree(root, 0, arrayForSbom.slice(1), sbom)
+		if(!containsVersion(arrayForSbom[0])) {
+			arrayForSbom = arrayForSbom.slice(1)
+		}
+		this.parseDependencyTree(root + ":compile", 0, arrayForSbom, sbom)
 		let ignoredDeps = this.#getIgnoredDeps(manifestPath)
 		return sbom.filterIgnoredDepsIncludingVersion(ignoredDeps).getAsJsonString();
 	}
@@ -236,7 +251,9 @@ export default class Java_gradle extends Base_java {
 			}
 
 			if (startFound && dependency.trim() !== "") {
-				resultList.push(dependenciesList[dependency])
+				if(startMarker === 'runtimeClasspath' || containsVersion(dependenciesList[dependency])) {
+					resultList.push(dependenciesList[dependency])
+				}
 			}
 
 			if (startFound && dependenciesList[dependency].trim() === "") {
diff --git a/test/it/test_manifests/gradle/build.gradle b/test/it/test_manifests/gradle/build.gradle
index 30c88ff..40e8075 100644
--- a/test/it/test_manifests/gradle/build.gradle
+++ b/test/it/test_manifests/gradle/build.gradle
@@ -21,7 +21,8 @@ dependencies {
     implementation "jakarta.validation:jakarta.validation-api:2.0.2"
     implementation "io.quarkus:quarkus-resteasy-multipart:2.13.7.Final"
     implementation "io.quarkus:quarkus-hibernate-orm-deployment:2.0.2.Final"
-    implementation "log4j:log4j:1.2.17" // exhortignore
+    implementation "log4j:log4j:1.2.17"
+	implementation group: 'log4j', name: 'log4j'
 }
 test {
     useJUnitPlatform()